{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24970", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:33.639Z", "dateUpdated": "2026-03-27T15:13:56.432Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "energox", "product": "Energox", "vendor": "designingmedia", "versions": [{"changes": [{"at": "1.3", "status": "unaffected"}], "lessThanOrEqual": "<= 1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:15.023Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.<p>This issue affects Energox: from n/a through <= 1.2.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.639Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/energox/vulnerability/wordpress-energox-theme-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Energox theme <= 1.2 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T15:13:30.617208Z", "id": "CVE-2026-24970", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T15:13:56.432Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24970", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T15:13:30.617208Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T15:12:40.784Z"}}], "cna": {"title": "WordPress Energox theme <= 1.2 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "affected": [{"vendor": "designingmedia", "product": "Energox", "versions": [{"status": "affected", "changes": [{"at": "1.3", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2"}], "packageName": "energox", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:15.023Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/energox/vulnerability/wordpress-energox-theme-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.<p>This issue affects Energox: from n/a through <= 1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.639Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24970", "state": "PUBLISHED", "dateUpdated": "2026-03-27T15:13:56.432Z", "dateReserved": "2026-01-28T09:50:41.578Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:33.639Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2."}, {"lang": "es", "value": "Vulnerabilidad de Limitaci\u00f3n Incorrecta de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') en designingmedia Energox energox permite Salto de Ruta. Este problema afecta a Energox: desde n/a hasta &lt;= 1.2."}], "id": "CVE-2026-24970", "lastModified": "2026-03-30T13:27:12.923", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:38.947", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/energox/vulnerability/wordpress-energox-theme-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[1.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Energox", "source": "cna", "vendor": "designingmedia"}, "product": "energox", "vendor": "designingmedia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-27T17:52:06.377486+00:00", "value": {"mitigation_remediation": ["Update Energox to a version greater than 1.2 or remove the theme entirely", "If an immediate upgrade is not possible, disable any file deletion features exposed by the theme or restrict them to a secure context", "Configure strict file permissions on the WordPress content directory to prevent unauthorized deletion", "Monitor server and WordPress logs for indications of file manipulation attempts"], "summary": {"action": "Update Theme", "impact": "Arbitrary File Deletion via Path Traversal"}, "threat_synthesis": {"affected_systems": "Any WordPress site using the designingmedia Energox theme version 1.2 or earlier is affected. The theme itself is the only component that handles file deletion and relative paths, so other plugins or themes are not implicated.", "description_and_impact": "The vulnerability allows an attacker to craft requests that bypass the Energox theme\u2019s file handling logic and delete any file located within the web root. This leads to loss of critical site data or configuration files, directly compromising the integrity and availability of the WordPress installation.", "risk_and_exploitability": "The issue carries a high severity rating and a low observed exploitation probability; exploitation would require the attacker to trigger the theme\u2019s file deletion functionality, likely through a crafted URL or form submission. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities list, which suggests it is not a widely deployed, actively exploited flaw. Because it results in arbitrary deletion of server files, successful exploitation would allow denial of service or further compromise of the site."}}}}, "created": "2026-03-25T21:34:39.029814+00:00", "updated": "2026-03-27T20:26:28.380033+00:00", "vendors": ["designingmedia", "designingmedia$PRODUCT$energox", "wordpress", "wordpress$PRODUCT$wordpress"]}