Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Unauthenticated network-reachable endpoint with no user interaction; arbitrary file deletion changes scope to WordPress core and yields high availability impact with no direct confidentiality or integrity primitive.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Arbitrary File Deletion in BookPro <= 1.1.0 versions.
AnalysisAI
Unauthenticated arbitrary file deletion in the OvaTheme BookPro WordPress plugin (versions ≤ 1.1.0) allows remote attackers to delete arbitrary files from the underlying server via a path traversal flaw (CWE-22). Deletion of critical files such as wp-config.php can force a WordPress site into the setup state, enabling site takeover, while the scope-changed CVSS 3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/A:H) and Patchstack disclosure mark this as a high-priority issue despite no public exploit being identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerable BookPro plugin (OvaTheme ovabookpro, version ≤ 1.1.0) must be installed and active on a network-reachable WordPress site; no authentication, user interaction, or non-default configuration is required (CVSS PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Multiple signals point to elevated real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a single crafted HTTP request to the vulnerable BookPro endpoint with a file path parameter containing directory-traversal sequences pointing at wp-config.php (or another sensitive file). The plugin invokes its file deletion routine on the resolved path and removes the target; with wp-config.php gone, WordPress redirects visitors to the installation wizard, allowing the attacker to point the site at an attacker-controlled database and seize full administrative control. … |
| Remediation | Patch availability is not explicitly stated in the supplied data - no vendor-released patch identified at time of analysis beyond the Patchstack listing, which should be consulted directly at https://patchstack.com/database/wordpress/plugin/ovabookpro/vulnerability/wordpress-bookpro-plugin-1-1-0-arbitrary-file-deletion-vulnerability for fixed-version confirmation; upgrade to any BookPro release later than 1.1.0 once OvaTheme publishes one. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Immediately deactivate and remove OvaTheme BookPro plugin from all WordPress installations; if removal is not feasible, deploy WAF rules blocking path traversal patterns (../ sequences) targeting plugin and core WordPress directories. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37669