CVE-2026-24970
Path Traversal Vulnerability in Energox β€ 1.2 Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| designingmedia | energox | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to deletion of core website files, which may cause the website to break or stop functioning entirely.
Because it allows arbitrary file deletion, attackers can disrupt website availability and potentially cause significant operational damage.
Can you explain this vulnerability to me?
CVE-2026-24970 is a Path Traversal vulnerability in the WordPress Energox Theme versions up to 1.2. This flaw allows an attacker with subscriber or developer privileges to delete arbitrary files from the affected website.
The vulnerability arises from improper limitation of a pathname to a restricted directory, enabling unauthorized file deletion.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WordPress Energox Theme to version 1.3 or later, which contains the patch for this vulnerability.
Until the update can be applied, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability.
It is also recommended to consult your hosting provider or developers if immediate updates are not feasible, due to the high risk of mass exploitation campaigns.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with subscriber or developer privileges to delete arbitrary files from the affected website, potentially causing the site to break or stop functioning entirely.
Such arbitrary file deletion and potential site disruption could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and availability.
However, the provided information does not explicitly mention the impact on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects WordPress Energox Theme versions up to 1.2 and allows arbitrary file deletion by users with subscriber or developer privileges. Detection typically involves checking the version of the Energox theme installed on your WordPress site.
To detect if your system is vulnerable, you can verify the theme version by running commands to inspect the theme files or by checking the WordPress admin dashboard.
- Use WP-CLI to check the installed theme version: wp theme list --status=active
- Manually check the style.css file in the Energox theme directory for the version number: cat wp-content/themes/energox/style.css | grep Version
Additionally, monitoring for suspicious file deletion activities or unexpected changes in website files could indicate exploitation attempts.
Patchstack has issued mitigation rules to block attacks targeting this vulnerability until the theme is updated to version 1.3 or later.