Skip to main content

Energox EUVDEUVD-2026-15580

| CVE-2026-24970 HIGH
Path Traversal (CWE-22)
2026-03-25 Patchstack GHSA-44cv-6xv4-6x7h
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15580
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.7

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Energox energox allows Path Traversal.This issue affects Energox: from n/a through <= 1.2.

AnalysisAI

A path traversal vulnerability exists in designingmedia Energox theme affecting versions up to and including 1.2, allowing attackers to access files outside intended directories through improper pathname validation. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has been reported by Patchstack. While CVSS and EPSS scores are not available and KEV status is unknown, the vulnerability represents a classic file access control weakness that could enable unauthorized file disclosure or deletion depending on application context.

Technical ContextAI

The vulnerability resides in the designingmedia Energox WordPress theme (CPE: cpe:2.3:a:designingmedia:energox:*:*:*:*:*:*:*:*), a component designed to extend WordPress functionality. The root cause is improper handling of file path inputs, categorized under CWE-22, which occurs when user-supplied input is used to construct file paths without adequate validation or sanitization. The affected theme versions from initial release through version 1.2 fail to properly restrict directory traversal sequences (such as '../' or '..\') in file access operations. This allows attackers to bypass intended directory boundaries and access arbitrary files on the server, potentially including configuration files, private data, or system files depending on server permissions and the specific implementation context.

RemediationAI

Immediately upgrade the Energox theme to a version newer than 1.2 if a patched version is available from the designingmedia vendor. Consult the Patchstack vulnerability database and the vendor's official security advisory for the specific patched version number and installation instructions. Until patching is completed, implement compensatory controls by restricting WordPress theme file access through server-level configurations, disabling unnecessary Energox theme functionality, or temporarily deactivating the theme if a patched version is unavailable. Additionally, review server access logs and file system activity for indicators of path traversal exploitation attempts targeting the theme directory, and implement Web Application Firewall (WAF) rules to block common path traversal patterns (such as sequences containing '../' or encoded equivalents) in requests to the theme. Monitor the Patchstack database and designingmedia vendor communications for official patch release notifications.

Share

EUVD-2026-15580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy