Severity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Contributor-level authentication required (PR:L, not PR:N); path traversal file deletion impacts both integrity and availability at high severity; scope changes to server filesystem beyond WordPress application.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Contributor Arbitrary File Deletion in Meta Box - WordPress Custom Fields Framework <= 5.11.1 versions.
AnalysisAI
Arbitrary file deletion in Meta Box - WordPress Custom Fields Framework versions 5.11.1 and earlier exposes servers to filesystem damage through a path traversal flaw (CWE-22) accessible to WordPress Contributor-level users. By embedding traversal sequences in a crafted file deletion request, an authenticated Contributor can delete files outside the intended plugin directory, potentially reaching critical server or WordPress installation files. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis; however, the scope-changed CVSS metric indicates that impact can extend beyond the WordPress application boundary to the underlying server filesystem.
Technical ContextAI
The vulnerability affects the Meta Box - WordPress Custom Fields Framework plugin by elightup (CPE: cpe:2.3:a:elightup:meta_box_-_wordpress_custom_fields_framework:*:*:*:*:*:*:*:*), a widely-used WordPress plugin for building custom fields and meta boxes. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal): a file deletion code path exposed to Contributor-role users fails to sanitize or canonicalize user-supplied path input, allowing directory traversal sequences (e.g., '../../') to escape the expected deletion scope. The Scope:Changed (S:C) designation in the provided CVSS vector indicates that the impact boundary extends beyond the WordPress application itself, meaning the web server process's accessible filesystem - including configuration files, wp-config.php, or OS-level files writable by the server user - can be targeted.
RemediationAI
Update the Meta Box - WordPress Custom Fields Framework plugin to the first version released after 5.11.1 - consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/meta-box/vulnerability/wordpress-meta-box-wordpress-custom-fields-framework-plugin-5-11-1-arbitrary-file-deletion-vulnerability) and the plugin's official WordPress.org changelog to confirm the exact patched version, as no specific fix version was independently verified in the available data. As an interim compensating control, audit and remove all unnecessary Contributor-level accounts, particularly on sites with open user registration, to reduce the privilege foothold available to attackers. Additionally, restrict the web server process (e.g., www-data or nginx user) to the minimum required filesystem write permissions using OS-level controls, so that even if traversal succeeds, the scope of deletable files is constrained - note this does not eliminate the vulnerability but limits blast radius. Implementing a WordPress file integrity monitor (e.g., Wordfence or similar) can provide detection capability for unauthorized deletions. Disabling the Meta Box plugin entirely until patching is feasible is the most conservative interim option on high-risk sites, though this will break any custom fields functionality dependent on it.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36933
GHSA-rw49-7h3x-83f2