Skip to main content

Instant Va CVE-2026-24969

| EUVDEUVD-2026-15578 HIGH
Path Traversal (CWE-22)
2026-03-25 Patchstack GHSA-qh2g-w59g-x32v
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15578
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.7

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1.

AnalysisAI

A path traversal vulnerability in designingmedia Instant VA (a WordPress theme) allows attackers to access and manipulate files outside the intended restricted directory through improper pathname validation. This vulnerability affects Instant VA versions up to and including 1.0.1, enabling potential arbitrary file deletion or unauthorized file access depending on server permissions. While no CVSS or EPSS scoring has been assigned and KEV status is unknown, the vulnerability has been documented by Patchstack with a functional reference to the Instant VA theme, indicating active research and potential proof-of-concept availability.

Technical ContextAI

The vulnerability stems from a CWE-22 (Improper Limitation of Pathname to a Restricted Directory) flaw in the Instant VA WordPress theme (cpe:2.3:a:designingmedia:instant_va). Path traversal vulnerabilities occur when user-supplied input is used to construct file paths without adequate sanitization or validation, allowing attackers to use directory traversal sequences (such as ../ or encoded variants) to escape the intended root directory and access arbitrary files on the server filesystem. In the context of a WordPress theme, this likely affects template rendering, file inclusion mechanisms, or admin functionality that processes file paths. The theme's improper handling of pathname inputs fails to validate that resolved paths remain within the intended restricted directory, a common flaw in file handling routines that do not employ proper canonicalization or whitelist-based path validation.

RemediationAI

Update Instant VA to a version newer than 1.0.1 if available from designingmedia, or disable the theme entirely if no patched version is released. Verify the fix via the Patchstack database entry or contact designingmedia directly for an official security advisory. As an interim mitigation, apply principle-of-least-privilege: restrict WordPress file upload permissions, disable direct file editing (define DISALLOW_FILE_EDIT in wp-config.php), and use a Web Application Firewall (WAF) rule to block path traversal patterns (../, encoded sequences like %2e%2e%2f). Additionally, ensure the web server process runs with minimal filesystem permissions, isolate the WordPress directory, and implement strict input validation on any theme functions that accept file paths. Monitor access logs for traversal attempts and conduct a security audit of any files accessed or modified during the vulnerability window.

Share

CVE-2026-24969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy