CVE-2026-31913
Path Traversal in Whitebox-Studio Scape Allows Unauthorized Access
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| whitebox-studio | scape | to 1.5.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to perform arbitrary file deletion on affected websites, which can lead to site malfunction or failure.
Such unauthorized access and manipulation of files could potentially impact the integrity and availability of data, which are critical aspects of compliance with standards like GDPR and HIPAA.
However, the provided information does not explicitly state the direct effects of this vulnerability on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-31913 is a high-priority vulnerability in the WordPress Scape Theme versions prior to 1.5.16. It is a Path Traversal vulnerability that allows unauthenticated attackers to perform arbitrary file deletion on affected websites.
This means attackers can delete critical files from the website, potentially causing site malfunction or complete failure.
The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 8.6, indicating it is highly dangerous and likely to be exploited in mass campaigns.
The issue was reported on February 5, 2026, and patched in version 1.5.16 of the Scape Theme.
How can this vulnerability impact me? :
This vulnerability allows attackers to delete arbitrary files on your website without authentication.
The impact can include malfunctioning of your website or complete site failure due to the deletion of critical files.
Because it is exploitable by anyone without needing to log in, it poses a significant risk to website availability and integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated attackers to perform arbitrary file deletion via path traversal in affected WordPress Scape Theme versions prior to 1.5.16.
Detection can involve monitoring for unusual HTTP requests attempting to exploit path traversal patterns, such as requests containing sequences like "../" or attempts to delete critical files.
While specific commands are not provided, network administrators can use web server logs to search for suspicious URL patterns or use intrusion detection systems with rules targeting path traversal attempts.
Additionally, applying Patchstackβs immediate mitigation rule can help block exploitation attempts and can be used as a detection mechanism to alert on blocked attacks.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the WordPress Scape Theme to version 1.5.16 or later, where the vulnerability has been patched.
Until the update can be applied, users should implement Patchstackβs immediate mitigation rule, which blocks exploitation attempts and provides rapid protection.
If immediate updating or applying the mitigation rule is not possible, users are advised to seek assistance from their hosting provider or web developer to secure the site.