{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24970", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:33.639Z", "dateUpdated": "2026-03-25T16:14:33.639Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "energox", "product": "Energox", "vendor": "designingmedia", "versions": [{"changes": [{"at": "1.3", "status": "unaffected"}], "lessThanOrEqual": "<= 1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:15.023Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.<p>This issue affects Energox: from n/a through <= 1.2.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.639Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/energox/vulnerability/wordpress-energox-theme-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Energox theme <= 1.2 - Arbitrary File Deletion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2."}], "id": "CVE-2026-24970", "lastModified": "2026-03-25T17:16:38.947", "metrics": {}, "published": "2026-03-25T17:16:38.947", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/energox/vulnerability/wordpress-energox-theme-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T20:09:58.915974+00:00", "value": {"mitigation_remediation": ["Upgrade the Energox theme to a version newer than 1.2.", "If an upgrade cannot be performed immediately, disable or uninstall the Energox theme to remove the vulnerable code.", "Restrict the file system permissions for the web\u2011server user so it cannot delete files outside the WordPress root directory.", "Deploy a web application firewall or similar controls to block requests containing path traversal patterns such as \"../\".", "Monitor server logs for unexpected delete operations or path traversal attempts to detect exploitation early."], "summary": {"action": "Immediate Patch", "impact": "File Deletion"}, "threat_synthesis": {"affected_systems": "All installations of the Energox theme version 1.2 or older are affected; no specific subversion is listed.", "description_and_impact": "The Energox WordPress theme contains a path traversal flaw that permits attackers to craft requests referencing files outside the intended directories, leading to the deletion of arbitrary files on the server. This vulnerability can compromise site integrity and availability by removing critical WordPress files, user uploads, or theme assets. The weakness is identified by CWE\u201122, which concerns improper limitation of a pathname to a restricted directory.", "risk_and_exploitability": "There is no CVSS score or EPSS data available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploits. The risk is high because deleting arbitrary files can cripple the site. The likely attack vector is remote, via crafted HTTP requests that exploit the path traversal vulnerability, provided the web\u2011server process has permission to delete files outside the designated directories."}}}}, "created": "2026-03-25T21:34:39.029814+00:00", "updated": "2026-03-25T21:34:39.029846+00:00", "vendors": []}