Description
Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 1.7.11 versions.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an unauthenticated attacker to delete arbitrary files on a WordPress site that has WorkScout-Core plugin version 1.7.11 or earlier. By crafting a request that triggers the deletion routine, the attacker can remove any file within portions of the site’s file system that the web process can reach, causing destructive loss of content, configuration files, or other critical data. The impact is loss of data and availability, reflected by the CVSS rating and the CWE-22 designation, which indicates insecure file deletion or path traversal.

Affected Systems

Purethemes’ WorkScout-Core WordPress plugin is affected. Versions up to and including 1.7.11 contain the flaw. Sites running WordPress that have installed any of those versions are vulnerable. The bug is limited to that plugin, not to the core WordPress installation itself.

Risk and Exploitability

The CVSS score of 6.5 signals a moderate risk, and the vulnerability is exploitable without authentication, meaning an attacker with internet access can trigger it. The EPSS score is not available, but the design of the flaw suggests that any site with the plugin exposed online could be abused. Because the flaw can delete critical files, it could also lead to denial of service. The CNA does not list it in CISA’s KEV catalog, so it is not a known extremely widely exploited flaw, but the lack of integrity controls around the deletion process makes the risk high in practice.

Generated by OpenCVE AI on June 18, 2026 at 11:43 UTC.

Remediation

Vendor Solution

Update the WordPress WorkScout-Core Plugin to the latest available version (at least 1.7.12).


OpenCVE Recommended Actions

  • Upgrade WorkScout-Core to version 1.7.12 or later.
  • If an upgrade cannot be performed immediately, deactivate or uninstall the WorkScout-Core plugin to eliminate the vulnerable code.
  • Modify file system permissions or configuration so that the web server process cannot delete critical files, or implement path validation checks before deletion.

Generated by OpenCVE AI on June 18, 2026 at 11:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Purethemes
Purethemes workscout Core
Wordpress
Wordpress wordpress
Vendors & Products Purethemes
Purethemes workscout Core
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 1.7.11 versions.
Title WordPress WorkScout-Core plugin <= 1.7.11 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}


Subscriptions

Purethemes Workscout Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:37:54.276Z

Reserved: 2026-06-08T10:11:21.891Z

Link: CVE-2026-52716

cve-icon Vulnrichment

Updated: 2026-06-17T15:37:47.993Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:45:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')