{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22448", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:43:49.724Z", "datePublished": "2026-03-25T16:14:22.252Z", "dateUpdated": "2026-04-28T17:12:08.343Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "pitchprint", "product": "PitchPrint", "vendor": "flexcubed", "versions": [{"changes": [{"at": "11.2.0", "status": "unaffected"}], "lessThanOrEqual": "11.1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:32.843Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.<p>This issue affects PitchPrint: from n/a through <= 11.1.2.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.259Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/pitchprint/vulnerability/wordpress-pitchprint-plugin-11-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress PitchPrint plugin <= 11.1.2 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T17:58:25.655761Z", "id": "CVE-2026-22448", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:12:08.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22448", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T17:58:25.655761Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T17:57:38.775Z"}}], "cna": {"title": "WordPress PitchPrint plugin <= 11.1.2 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "NumeX | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "flexcubed", "product": "PitchPrint", "versions": [{"status": "affected", "changes": [{"at": "11.2.0", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "11.1.2"}], "packageName": "pitchprint", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:32.843Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/pitchprint/vulnerability/wordpress-pitchprint-plugin-11-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.<p>This issue affects PitchPrint: from n/a through <= 11.1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:02.871Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22448", "state": "PUBLISHED", "dateUpdated": "2026-04-24T15:55:59.010Z", "dateReserved": "2026-01-07T13:43:49.724Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:22.252Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2."}, {"lang": "es", "value": "Limitaci\u00f3n incorrecta de un nombre de ruta a un directorio restringido ('Salto de ruta') vulnerabilidad en flexcubed PitchPrint pitchprint permite Salto de ruta. Este problema afecta a PitchPrint: desde n/a hasta &lt;= 11.1.2."}], "id": "CVE-2026-22448", "lastModified": "2026-04-28T19:36:38.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:30.507", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/pitchprint/vulnerability/wordpress-pitchprint-plugin-11-1-2-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.1.2]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[11.2.0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PitchPrint", "source": "cna", "vendor": "flexcubed"}, "product": "pitchprint", "vendor": "flexcubed"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-27T19:28:17.593109+00:00", "value": {"mitigation_remediation": ["Apply the latest PitchPrint plugin version, any release above 11.1.2.", "If an upgrade is not immediately possible, disable or delete the plugin from the WordPress installation.", "Restrict file permissions on the plugin directory to prevent unauthorized write or delete operations.", "Enable logging and monitor for unexpected file deletions or path traversal attempts."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion may compromise site integrity and availability"}, "threat_synthesis": {"affected_systems": "The flaw exists in the flexcubed PitchPrint WordPress plugin versions up to and including 11.1.2. Any WordPress site that has this plugin installed within that version range is susceptible, regardless of the overall WordPress version.", "description_and_impact": "The vulnerability is a path traversal flaw that allows an attacker to delete arbitrary files from the server. An attacker who can trigger the vulnerable functionality can remove core website files, configuration files, or other critical assets, potentially leading to site downtime, data loss, or facilitating further compromise. The weakness is classified as CWE-22, improper limitation of a pathname to a restricted directory.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity impact and a moderate complexity attack. The EPSS score of less than 1% suggests that current exploitation rates are low, and the vulnerability is not currently listed in the CISA KEV catalog. Nonetheless, the flaw can be leveraged remotely through the plugin's interface if an attacker can gain the necessary access, exposing the site to potential data loss and downtime."}}}}, "created": "2026-03-25T21:35:30.716009+00:00", "updated": "2026-03-27T20:26:33.224479+00:00", "vendors": ["flexcubed", "flexcubed$PRODUCT$pitchprint", "wordpress", "wordpress$PRODUCT$wordpress"]}