Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1.
AnalysisAI
A path traversal vulnerability in designingmedia Instant VA (a WordPress theme) allows attackers to access and manipulate files outside the intended restricted directory through improper pathname validation. This vulnerability affects Instant VA versions up to and including 1.0.1, enabling potential arbitrary file deletion or unauthorized file access depending on server permissions. While no CVSS or EPSS scoring has been assigned and KEV status is unknown, the vulnerability has been documented by Patchstack with a functional reference to the Instant VA theme, indicating active research and potential proof-of-concept availability.
Technical ContextAI
The vulnerability stems from a CWE-22 (Improper Limitation of Pathname to a Restricted Directory) flaw in the Instant VA WordPress theme (cpe:2.3:a:designingmedia:instant_va). Path traversal vulnerabilities occur when user-supplied input is used to construct file paths without adequate sanitization or validation, allowing attackers to use directory traversal sequences (such as ../ or encoded variants) to escape the intended root directory and access arbitrary files on the server filesystem. In the context of a WordPress theme, this likely affects template rendering, file inclusion mechanisms, or admin functionality that processes file paths. The theme's improper handling of pathname inputs fails to validate that resolved paths remain within the intended restricted directory, a common flaw in file handling routines that do not employ proper canonicalization or whitelist-based path validation.
RemediationAI
Update Instant VA to a version newer than 1.0.1 if available from designingmedia, or disable the theme entirely if no patched version is released. Verify the fix via the Patchstack database entry or contact designingmedia directly for an official security advisory. As an interim mitigation, apply principle-of-least-privilege: restrict WordPress file upload permissions, disable direct file editing (define DISALLOW_FILE_EDIT in wp-config.php), and use a Web Application Firewall (WAF) rule to block path traversal patterns (../, encoded sequences like %2e%2e%2f). Additionally, ensure the web server process runs with minimal filesystem permissions, isolate the WordPress directory, and implement strict input validation on any theme functions that accept file paths. Monitor access logs for traversal attempts and conduct a security audit of any files accessed or modified during the vulnerability window.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15578
GHSA-qh2g-w59g-x32v