Impact
The vulnerability permits an unauthenticated attacker to delete arbitrary files on a WordPress site that has WorkScout-Core plugin version 1.7.11 or earlier. By crafting a request that triggers the deletion routine, the attacker can remove any file within portions of the site’s file system that the web process can reach, causing destructive loss of content, configuration files, or other critical data. The impact is loss of data and availability, reflected by the CVSS rating and the CWE-22 designation, which indicates insecure file deletion or path traversal.
Affected Systems
Purethemes’ WorkScout-Core WordPress plugin is affected. Versions up to and including 1.7.11 contain the flaw. Sites running WordPress that have installed any of those versions are vulnerable. The bug is limited to that plugin, not to the core WordPress installation itself.
Risk and Exploitability
The CVSS score of 6.5 signals a moderate risk, and the vulnerability is exploitable without authentication, meaning an attacker with internet access can trigger it. The EPSS score is not available, but the design of the flaw suggests that any site with the plugin exposed online could be abused. Because the flaw can delete critical files, it could also lead to denial of service. The CNA does not list it in CISA’s KEV catalog, so it is not a known extremely widely exploited flaw, but the lack of integrity controls around the deletion process makes the risk high in practice.
OpenCVE Enrichment