{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24969", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:33.459Z", "dateUpdated": "2026-03-26T18:59:43.603Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "instantva", "product": "Instant VA", "vendor": "designingmedia", "versions": [{"changes": [{"at": "1.0.2", "status": "unaffected"}], "lessThanOrEqual": "<= 1.0.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:14.742Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.<p>This issue affects Instant VA: from n/a through <= 1.0.1.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.459Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/instantva/vulnerability/wordpress-instant-va-theme-1-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Instant VA theme <= 1.0.1 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:59:18.182561Z", "id": "CVE-2026-24969", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:59:43.603Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-24969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:59:18.182561Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:59:39.397Z"}}], "cna": {"title": "WordPress Instant VA theme <= 1.0.1 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "affected": [{"vendor": "designingmedia", "product": "Instant VA", "versions": [{"status": "affected", "changes": [{"at": "1.0.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.0.1"}], "packageName": "instantva", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:14.742Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/instantva/vulnerability/wordpress-instant-va-theme-1-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.<p>This issue affects Instant VA: from n/a through <= 1.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:33.459Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24969", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:59:43.603Z", "dateReserved": "2026-01-28T09:50:41.578Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:33.459Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1."}, {"lang": "es", "value": "Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') vulnerabilidad en designingmedia Instant VA instantva permite Salto de Ruta. Este problema afecta a Instant VA: desde n/a hasta &lt;= 1.0.1."}], "id": "CVE-2026-24969", "lastModified": "2026-03-26T19:16:36.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:38.803", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/instantva/vulnerability/wordpress-instant-va-theme-1-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.0.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Instant VA", "source": "cna", "vendor": "designingmedia"}, "product": "instant_va", "vendor": "designingmedia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:41:28.598676+00:00", "value": {"mitigation_remediation": ["Upgrade the Instant VA theme to the latest version that removes the path traversal flaw.", "If an update is unavailable, disable file deletion functionality via configuration or plugin settings until a patch is released.", "Apply strict file permissions to the WordPress installation to limit writable directories to only those necessary for operation.", "Monitor file integrity on the web server to detect unexpected file removals.", "Check the theme developer\u2019s website or the WordPress Plugin Directory for any official patches or advisories."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion via path traversal"}, "threat_synthesis": {"affected_systems": "The theme affected is Instant VA from designingmedia, specifically all versions up to and including 1.0.1. Systems running any of these releases are vulnerable.", "description_and_impact": "The vulnerability is an improper limitation of pathname that allows an attacker to perform path traversal, enabling deletion of arbitrary files on the system where the WordPress Instant VA theme is installed. The primary impact is the loss of critical files, which can lead to website defacement, data loss, or extended service disruption. The weakness is identified as CWE-22, a classic directory traversal flaw that compromises the integrity of the application\u2019s file system.", "risk_and_exploitability": "The CVE does not list a CVSS score or EPSS data, and it is not present in the CISA KEV catalog, suggesting a moderate yet unquantified risk. Based on the description, the likely attack vector is remote via HTTP requests that include crafted filenames or path strings. An attacker who can provoke the vulnerable code path may delete files without needing local access, though the exploit would still require the ability to send such requests to the WordPress instance."}}}}, "created": "2026-03-25T21:34:40.101578+00:00", "updated": "2026-03-26T11:39:54.744069+00:00", "vendors": ["designingmedia", "designingmedia$PRODUCT$instant_va", "wordpress", "wordpress$PRODUCT$wordpress"]}