Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.
AnalysisAI
Whitebox-Studio Scape versions prior to 1.5.16 contain a path traversal vulnerability allowing unauthenticated remote attackers to cause denial of service by accessing restricted directories and exhausting system resources. The vulnerability requires no user interaction and can be exploited over the network with low complexity, affecting the availability of affected systems. No patch is currently available.
Technical ContextAI
The vulnerability is rooted in improper input validation and pathname sanitization in the Scape WordPress theme (CPE: cpe:2.3:a:whitebox-studio:scape:*:*:*:*:*:*:*:*). This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability where user-supplied input containing path traversal sequences (such as ../ or similar directory escape patterns) is not adequately filtered before being used in file system operations. WordPress themes that handle file uploads, downloads, or asset serving are particularly vulnerable if they construct file paths using unsanitized user input without implementing proper canonicalization or allowlist validation.
RemediationAI
Immediately upgrade Whitebox-Studio Scape to version 1.5.16 or later, which addresses the path traversal vulnerability. This can typically be done through the WordPress theme update interface. Until patching is possible, implement strict input validation on any user-supplied parameters that influence file operations, restrict file system permissions on the web server to the minimum necessary scope, and consider implementing a Web Application Firewall (WAF) rule to detect and block common path traversal patterns (../, ..\, encoded variants, etc.). Additionally, ensure that the wp-content/uploads directory and other sensitive directories are not directly web-accessible for execution, and monitor file access logs for suspicious traversal attempts. The patch information and technical details are available in the Patchstack advisory referenced above.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15813
GHSA-mqc7-5qj8-5f3j