CVE-2026-24970
Received Received - Intake
Path Traversal Vulnerability in Energox ≀ 1.2 Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24970
EUVD
EUVD-2026-15580
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
designingmedia energox to 1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24970 is a Path Traversal vulnerability in the WordPress Energox Theme versions up to 1.2. This flaw allows an attacker with subscriber or developer privileges to delete arbitrary files from the affected website.

The vulnerability arises from improper limitation of a pathname to a restricted directory, enabling unauthorized file deletion.

Impact Analysis

Exploitation of this vulnerability can lead to deletion of core website files, which may cause the website to break or stop functioning entirely.

Because it allows arbitrary file deletion, attackers can disrupt website availability and potentially cause significant operational damage.

Mitigation Strategies

The immediate mitigation step is to update the WordPress Energox Theme to version 1.3 or later, which contains the patch for this vulnerability.

Until the update can be applied, Patchstack has issued a mitigation rule to block attacks targeting this vulnerability.

It is also recommended to consult your hosting provider or developers if immediate updates are not feasible, due to the high risk of mass exploitation campaigns.

Compliance Impact

The vulnerability allows an attacker with subscriber or developer privileges to delete arbitrary files from the affected website, potentially causing the site to break or stop functioning entirely.

Such arbitrary file deletion and potential site disruption could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and availability.

However, the provided information does not explicitly mention the impact on compliance with these regulations.

Detection Guidance

This vulnerability affects WordPress Energox Theme versions up to 1.2 and allows arbitrary file deletion by users with subscriber or developer privileges. Detection typically involves checking the version of the Energox theme installed on your WordPress site.

To detect if your system is vulnerable, you can verify the theme version by running commands to inspect the theme files or by checking the WordPress admin dashboard.

  • Use WP-CLI to check the installed theme version: wp theme list --status=active
  • Manually check the style.css file in the Energox theme directory for the version number: cat wp-content/themes/energox/style.css | grep Version

Additionally, monitoring for suspicious file deletion activities or unexpected changes in website files could indicate exploitation attempts.

Patchstack has issued mitigation rules to block attacks targeting this vulnerability until the theme is updated to version 1.3 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24970. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart