CVE-2026-22448
Received Received - Intake
Path Traversal Vulnerability in PitchPrint Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22448
EUVD
EUVD-2026-15486
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
flexcubed pitchprint to 11.1.2 (inc)
flexcubed pitchprint From 11.1.2|end_including=11.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22448 is a Path Traversal vulnerability in the WordPress PitchPrint Plugin versions up to 11.1.2. It allows unauthenticated attackers to delete arbitrary files from a website by exploiting improper limitation of pathnames to restricted directories.

This vulnerability falls under OWASP Top 10 A1: Broken Access Control and can be exploited without any privileges.

Impact Analysis

Exploitation of this vulnerability allows attackers to delete files from your website, including core files, which can cause the site to break or stop functioning.

Because the vulnerability requires no authentication, it poses a high risk and can be exploited in mass campaigns targeting many websites regardless of their traffic or popularity.

The CVSS severity score for this vulnerability is 7.5, indicating a high likelihood of exploitation and significant impact.

Detection Guidance

The vulnerability allows unauthenticated attackers to delete files via the WordPress PitchPrint Plugin up to version 11.1.2. Detection can involve monitoring for suspicious HTTP requests attempting to exploit path traversal or arbitrary file deletion.

While specific commands are not provided, typical detection methods include analyzing web server logs for unusual requests targeting the PitchPrint plugin endpoints, especially those containing path traversal patterns such as '../' sequences.

Additionally, using web application firewall (WAF) logs or intrusion detection systems (IDS) with rules blocking known exploit patterns for this vulnerability can help detect exploitation attempts.

Mitigation Strategies

The most immediate and effective mitigation step is to update the PitchPrint plugin to version 11.2.0 or later, where the vulnerability has been patched.

Until the update can be applied, users are advised to implement mitigation rules provided by Patchstack that block all legitimate and illegitimate requests related to this vulnerability, covering all attack scenarios.

Patchstack also offers automatic mitigation and auto-update options to ensure rapid protection, which users should consider enabling.

Compliance Impact

The vulnerability allows unauthenticated attackers to delete arbitrary files from a website, which can lead to disruption of services and potential loss of critical data.

Such unauthorized file deletion and potential data loss could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and availability.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22448. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart