Skip to main content

Wzone CVE-2026-27040

| EUVDEUVD-2026-15758 HIGH
Path Traversal (CWE-22)
2026-03-25 Patchstack GHSA-88fr-wj35-pwpg
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15758
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 8.8

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal.This issue affects WZone: from n/a through <= 14.0.31.

AnalysisAI

AA-Team WZone versions 14.0.31 and earlier contain a path traversal vulnerability that allows authenticated attackers to access files outside intended directories. An attacker with valid credentials could leverage this flaw to read, modify, or delete sensitive files on the affected system. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a fundamental path traversal flaw where user-supplied input is used to construct file paths without proper sanitization or validation. The affected product is AA-Team WZone (CPE: cpe:2.3:a:aa-team:wzone:*:*:*:*:*:*:*:*), a WordPress plugin that likely processes file operations or directory access. Attackers can manipulate pathname parameters (typically using sequences like '../' or absolute paths) to traverse the directory structure and access files beyond the intended restricted boundary. The reference to 'arbitrary file deletion' in the Patchstack advisory suggests the vulnerability may permit not only reading but also modifying or deleting files, elevating the severity beyond simple information disclosure.

RemediationAI

Organizations should immediately upgrade AA-Team WZone to a patched version higher than 14.0.31 if such a release is available from AA-Team or the WordPress plugin repository. Users should consult the Patchstack advisory and AA-Team's official security announcements for confirmation of available patches and upgrade instructions. As a temporary mitigation pending patching, implement web application firewall (WAF) rules to block common path traversal payloads (sequences like '../', '..\', '%2e%2e%2f'), restrict file permissions to the least-privilege principle, and monitor file access logs for suspicious directory traversal attempts. Additionally, ensure the WordPress installation runs on an account with minimal filesystem permissions, and consider disabling the WZone plugin entirely if it is non-critical to operations until a patch is confirmed and tested.

Share

CVE-2026-27040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy