Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2.
AnalysisAI
A path traversal vulnerability exists in flexcubed PitchPrint plugin through version 11.1.2, allowing attackers to access files outside of restricted directories. The vulnerability affects the PitchPrint WordPress plugin and enables unauthorized file access through improper pathname validation. No CVSS score or EPSS data is currently available, but the CWE-22 classification and Patchstack reporting indicate this is a genuine path traversal issue requiring immediate attention.
Technical ContextAI
The vulnerability is rooted in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a common weakness in web applications that fail to properly validate and sanitize user-supplied file path inputs. The affected product is flexcubed PitchPrint (CPE: cpe:2.3:a:flexcubed:pitchprint:*:*:*:*:*:*:*:*), a WordPress plugin used for design customization. The path traversal flaw likely occurs in file handling or template processing logic where directory traversal sequences (e.g., '../') are not adequately filtered, allowing attackers to escape the intended application directory and access arbitrary files on the server filesystem. This is a classic input validation vulnerability where user-controlled file path parameters are not sufficiently restricted to their intended base directory.
RemediationAI
Immediately upgrade the PitchPrint plugin to a version higher than 11.1.2 (consult the Patchstack advisory and official flexcubed release notes for the patched version). Until a patch is available or can be deployed, implement the following interim controls: restrict file upload and processing functionality at the web server or WAF level, apply strict input validation and sanitization rules that reject any path traversal sequences (../, ..\ ), enforce principle of least privilege on the web server process to limit file system access, and monitor file system access logs for suspicious path traversal attempts. Additionally, consider temporarily disabling the PitchPrint plugin if the risk cannot be otherwise mitigated pending patch availability.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15486
GHSA-6j9x-qfg8-f96r