CVE-2026-31913
Received Received - Intake
Path Traversal in Whitebox-Studio Scape Allows Unauthorized Access

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: Patchstack

Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31913
EUVD
EUVD-2026-15813
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
whitebox-studio scape to 1.5.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to perform arbitrary file deletion on affected websites, which can lead to site malfunction or failure.

Such unauthorized access and manipulation of files could potentially impact the integrity and availability of data, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the provided information does not explicitly state the direct effects of this vulnerability on compliance with these regulations.

Executive Summary

CVE-2026-31913 is a high-priority vulnerability in the WordPress Scape Theme versions prior to 1.5.16. It is a Path Traversal vulnerability that allows unauthenticated attackers to perform arbitrary file deletion on affected websites.

This means attackers can delete critical files from the website, potentially causing site malfunction or complete failure.

The vulnerability falls under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 8.6, indicating it is highly dangerous and likely to be exploited in mass campaigns.

The issue was reported on February 5, 2026, and patched in version 1.5.16 of the Scape Theme.

Impact Analysis

This vulnerability allows attackers to delete arbitrary files on your website without authentication.

The impact can include malfunctioning of your website or complete site failure due to the deletion of critical files.

Because it is exploitable by anyone without needing to log in, it poses a significant risk to website availability and integrity.

Detection Guidance

This vulnerability allows unauthenticated attackers to perform arbitrary file deletion via path traversal in affected WordPress Scape Theme versions prior to 1.5.16.

Detection can involve monitoring for unusual HTTP requests attempting to exploit path traversal patterns, such as requests containing sequences like "../" or attempts to delete critical files.

While specific commands are not provided, network administrators can use web server logs to search for suspicious URL patterns or use intrusion detection systems with rules targeting path traversal attempts.

Additionally, applying Patchstack’s immediate mitigation rule can help block exploitation attempts and can be used as a detection mechanism to alert on blocked attacks.

Mitigation Strategies

The primary mitigation step is to update the WordPress Scape Theme to version 1.5.16 or later, where the vulnerability has been patched.

Until the update can be applied, users should implement Patchstack’s immediate mitigation rule, which blocks exploitation attempts and provides rapid protection.

If immediate updating or applying the mitigation rule is not possible, users are advised to seek assistance from their hosting provider or web developer to secure the site.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart