CVE-2026-22448
Path Traversal Vulnerability in PitchPrint Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flexcubed | pitchprint | to 11.1.2 (inc) |
| flexcubed | pitchprint | From 11.1.2|end_including=11.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22448 is a Path Traversal vulnerability in the WordPress PitchPrint Plugin versions up to 11.1.2. It allows unauthenticated attackers to delete arbitrary files from a website by exploiting improper limitation of pathnames to restricted directories.
This vulnerability falls under OWASP Top 10 A1: Broken Access Control and can be exploited without any privileges.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to delete files from your website, including core files, which can cause the site to break or stop functioning.
Because the vulnerability requires no authentication, it poses a high risk and can be exploited in mass campaigns targeting many websites regardless of their traffic or popularity.
The CVSS severity score for this vulnerability is 7.5, indicating a high likelihood of exploitation and significant impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability allows unauthenticated attackers to delete files via the WordPress PitchPrint Plugin up to version 11.1.2. Detection can involve monitoring for suspicious HTTP requests attempting to exploit path traversal or arbitrary file deletion.
While specific commands are not provided, typical detection methods include analyzing web server logs for unusual requests targeting the PitchPrint plugin endpoints, especially those containing path traversal patterns such as '../' sequences.
Additionally, using web application firewall (WAF) logs or intrusion detection systems (IDS) with rules blocking known exploit patterns for this vulnerability can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The most immediate and effective mitigation step is to update the PitchPrint plugin to version 11.2.0 or later, where the vulnerability has been patched.
Until the update can be applied, users are advised to implement mitigation rules provided by Patchstack that block all legitimate and illegitimate requests related to this vulnerability, covering all attack scenarios.
Patchstack also offers automatic mitigation and auto-update options to ensure rapid protection, which users should consider enabling.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to delete arbitrary files from a website, which can lead to disruption of services and potential loss of critical data.
Such unauthorized file deletion and potential data loss could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and availability.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.