Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AA-Team WZone woozone allows Path Traversal.This issue affects WZone: from n/a through <= 14.0.31.
AnalysisAI
AA-Team WZone versions 14.0.31 and earlier contain a path traversal vulnerability that allows authenticated attackers to access files outside intended directories. An attacker with valid credentials could leverage this flaw to read, modify, or delete sensitive files on the affected system. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a fundamental path traversal flaw where user-supplied input is used to construct file paths without proper sanitization or validation. The affected product is AA-Team WZone (CPE: cpe:2.3:a:aa-team:wzone:*:*:*:*:*:*:*:*), a WordPress plugin that likely processes file operations or directory access. Attackers can manipulate pathname parameters (typically using sequences like '../' or absolute paths) to traverse the directory structure and access files beyond the intended restricted boundary. The reference to 'arbitrary file deletion' in the Patchstack advisory suggests the vulnerability may permit not only reading but also modifying or deleting files, elevating the severity beyond simple information disclosure.
RemediationAI
Organizations should immediately upgrade AA-Team WZone to a patched version higher than 14.0.31 if such a release is available from AA-Team or the WordPress plugin repository. Users should consult the Patchstack advisory and AA-Team's official security announcements for confirmation of available patches and upgrade instructions. As a temporary mitigation pending patching, implement web application firewall (WAF) rules to block common path traversal payloads (sequences like '../', '..\', '%2e%2e%2f'), restrict file permissions to the least-privilege principle, and monitor file access logs for suspicious directory traversal attempts. Additionally, ensure the WordPress installation runs on an account with minimal filesystem permissions, and consider disabling the WZone plugin entirely if it is non-critical to operations until a patch is confirmed and tested.
Missing Authorization vulnerability in AA-Team WZone.0.10. Rated critical severity (CVSS 9.8), this vulnerability is rem
Missing Authorization vulnerability in AA-Team WZone.0.10. Rated high severity (CVSS 8.8), this vulnerability is remotel
A blind SQL injection vulnerability exists in AA-Team's WZone WordPress plugin through version 14.0.31, allowing unauthe
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15758
GHSA-88fr-wj35-pwpg