Skip to main content

Meta Box CVE-2026-39468

| EUVDEUVD-2026-36933 MEDIUM
Path Traversal (CWE-22)
2026-06-15 Patchstack GHSA-rw49-7h3x-83f2
6.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
9.6 CRITICAL

Contributor-level authentication required (PR:L, not PR:N); path traversal file deletion impacts both integrity and availability at high severity; scope changes to server filesystem beyond WordPress application.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 23:15 vuln.today
CVE Published
Jun 15, 2026 - 20:17 cve.org
MEDIUM 6.8

DescriptionCVE.org

Contributor Arbitrary File Deletion in Meta Box - WordPress Custom Fields Framework <= 5.11.1 versions.

AnalysisAI

Arbitrary file deletion in Meta Box - WordPress Custom Fields Framework versions 5.11.1 and earlier exposes servers to filesystem damage through a path traversal flaw (CWE-22) accessible to WordPress Contributor-level users. By embedding traversal sequences in a crafted file deletion request, an authenticated Contributor can delete files outside the intended plugin directory, potentially reaching critical server or WordPress installation files. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis; however, the scope-changed CVSS metric indicates that impact can extend beyond the WordPress application boundary to the underlying server filesystem.

Technical ContextAI

The vulnerability affects the Meta Box - WordPress Custom Fields Framework plugin by elightup (CPE: cpe:2.3:a:elightup:meta_box_-_wordpress_custom_fields_framework:*:*:*:*:*:*:*:*), a widely-used WordPress plugin for building custom fields and meta boxes. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal): a file deletion code path exposed to Contributor-role users fails to sanitize or canonicalize user-supplied path input, allowing directory traversal sequences (e.g., '../../') to escape the expected deletion scope. The Scope:Changed (S:C) designation in the provided CVSS vector indicates that the impact boundary extends beyond the WordPress application itself, meaning the web server process's accessible filesystem - including configuration files, wp-config.php, or OS-level files writable by the server user - can be targeted.

RemediationAI

Update the Meta Box - WordPress Custom Fields Framework plugin to the first version released after 5.11.1 - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/meta-box/vulnerability/wordpress-meta-box-wordpress-custom-fields-framework-plugin-5-11-1-arbitrary-file-deletion-vulnerability) and the plugin's official WordPress.org changelog to confirm the exact patched version, as no specific fix version was independently verified in the available data. As an interim compensating control, audit and remove all unnecessary Contributor-level accounts, particularly on sites with open user registration, to reduce the privilege foothold available to attackers. Additionally, restrict the web server process (e.g., www-data or nginx user) to the minimum required filesystem write permissions using OS-level controls, so that even if traversal succeeds, the scope of deletable files is constrained - note this does not eliminate the vulnerability but limits blast radius. Implementing a WordPress file integrity monitor (e.g., Wordfence or similar) can provide detection capability for unauthorized deletions. Disabling the Meta Box plugin entirely until patching is feasible is the most conservative interim option on high-risk sites, though this will break any custom fields functionality dependent on it.

Share

CVE-2026-39468 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy