Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2.
AnalysisAI
A path traversal vulnerability exists in designingmedia Energox theme affecting versions up to and including 1.2, allowing attackers to access files outside intended directories through improper pathname validation. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has been reported by Patchstack. While CVSS and EPSS scores are not available and KEV status is unknown, the vulnerability represents a classic file access control weakness that could enable unauthorized file disclosure or deletion depending on application context.
Technical ContextAI
The vulnerability resides in the designingmedia Energox WordPress theme (CPE: cpe:2.3:a:designingmedia:energox:*:*:*:*:*:*:*:*), a component designed to extend WordPress functionality. The root cause is improper handling of file path inputs, categorized under CWE-22, which occurs when user-supplied input is used to construct file paths without adequate validation or sanitization. The affected theme versions from initial release through version 1.2 fail to properly restrict directory traversal sequences (such as '../' or '..\') in file access operations. This allows attackers to bypass intended directory boundaries and access arbitrary files on the server, potentially including configuration files, private data, or system files depending on server permissions and the specific implementation context.
RemediationAI
Immediately upgrade the Energox theme to a version newer than 1.2 if a patched version is available from the designingmedia vendor. Consult the Patchstack vulnerability database and the vendor's official security advisory for the specific patched version number and installation instructions. Until patching is completed, implement compensatory controls by restricting WordPress theme file access through server-level configurations, disabling unnecessary Energox theme functionality, or temporarily deactivating the theme if a patched version is unavailable. Additionally, review server access logs and file system activity for indicators of path traversal exploitation attempts targeting the theme directory, and implement Web Application Firewall (WAF) rules to block common path traversal patterns (such as sequences containing '../' or encoded equivalents) in requests to the theme. Monitor the Patchstack database and designingmedia vendor communications for official patch release notifications.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15580
GHSA-44cv-6xv4-6x7h