CVE-2025-15470
Arbitrary Directory Deletion in Eleganzo WordPress Theme
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eleganzo | eleganzo_theme | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Eleganzo theme for WordPress has a vulnerability that allows authenticated users with Subscriber-level access or higher to delete arbitrary directories on the server. This happens because the function akd_required_plugin_callback does not properly validate file paths, enabling attackers to delete important directories, including the WordPress root directory.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing attackers to delete critical directories on your server. Since even users with low-level access (Subscriber) can exploit it, it can lead to loss of website data, disruption of service, and potentially complete site downtime if essential directories like the WordPress root are deleted.