Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through < 4.08.253.
AnalysisAI
Path traversal in the WebinarIgnition WordPress plugin (Saleswonder Team: Tobias) affects all versions up to and including 4.08.253 and allows authenticated low-privilege users to manipulate file paths outside the intended plugin directory. The linked Patchstack advisory characterizes the concrete impact as arbitrary file deletion, which can corrupt the WordPress installation or enable further compromise. EPSS probability is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, despite the 9.9 CVSS score.
Technical ContextAI
WebinarIgnition is a commercial WordPress plugin for hosting and managing webinars. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where user-controllable input is incorporated into a filesystem path without sufficient canonicalization or validation, permitting '../' style sequences to escape the intended base directory. Because it runs inside the WordPress/PHP environment, a successful traversal operates with the web server's privileges across the underlying filesystem; the Patchstack reference frames the resulting primitive as arbitrary file deletion rather than read, meaning attacker-supplied paths reach a delete/unlink operation. No specific CPE strings were supplied beyond the EUVD product entry (WebinarIgnition 0 ≤ 4.08.253).
RemediationAI
Upgrade WebinarIgnition to version 4.08.253, which the advisory identifies as the fixed release (Vendor-released patch: 4.08.253); the version string in the description and the Patchstack advisory URL both point to 4.08.253 as the boundary, so update to that build or later. Until the update is applied, reduce exposure by restricting who holds authenticated WordPress accounts, since exploitation requires at least low-privilege access (PR:L) - audit and remove untrusted or unnecessary accounts, and tighten role capabilities. As a compensating control, place a WAF or virtual patch in front of the site to block requests containing path-traversal sequences ('../', encoded variants) targeting the plugin's endpoints, accepting that WAF rules can be bypassed and may need tuning to avoid false positives. If the plugin is not actively used, deactivate and remove it entirely to eliminate the attack surface. Refer to the Patchstack advisory for details: https://patchstack.com/database/Wordpress/Plugin/webinar-ignition/vulnerability/wordpress-webinarignition-plugin-4-08-253-arbitrary-file-deletion-vulnerability?_s_id=cve
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32205
GHSA-3fj5-pxmx-ggjp