{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24969", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:41.578Z", "datePublished": "2026-03-25T16:14:33.459Z", "dateUpdated": "2026-04-28T16:14:51.951Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "instantva", "product": "Instant VA", "vendor": "designingmedia", "versions": [{"changes": [{"at": "1.0.2", "status": "unaffected"}], "lessThanOrEqual": "1.0.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:41.206Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.<p>This issue affects Instant VA: from n/a through <= 1.0.1.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.951Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/instantva/vulnerability/wordpress-instant-va-theme-1-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Instant VA theme <= 1.0.1 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:59:18.182561Z", "id": "CVE-2026-24969", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:55:39.178Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24969", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:59:18.182561Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:59:39.397Z"}}], "cna": {"title": "WordPress Instant VA theme <= 1.0.1 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "designingmedia", "product": "Instant VA", "versions": [{"status": "affected", "changes": [{"at": "1.0.2", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.1"}], "packageName": "instantva", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:41.206Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/instantva/vulnerability/wordpress-instant-va-theme-1-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.<p>This issue affects Instant VA: from n/a through <= 1.0.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:51.951Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24969", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:51.951Z", "dateReserved": "2026-01-28T09:50:41.578Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:33.459Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in designingmedia Instant VA instantva allows Path Traversal.This issue affects Instant VA: from n/a through <= 1.0.1."}, {"lang": "es", "value": "Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') vulnerabilidad en designingmedia Instant VA instantva permite Salto de Ruta. Este problema afecta a Instant VA: desde n/a hasta &lt;= 1.0.1."}], "id": "CVE-2026-24969", "lastModified": "2026-04-28T15:16:24.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:38.803", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/instantva/vulnerability/wordpress-instant-va-theme-1-0-1-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.0.2,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Instant VA", "source": "cna", "vendor": "designingmedia"}, "product": "instant_va", "vendor": "designingmedia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T21:08:49.652415+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of the Instant\u202fVA theme that is newer than 1.0.1 or apply any vendor patch addressing the path traversal flaw.", "If a newer version is unavailable, limit the theme's file deletion functionality to administrators only or remove the deletion feature completely.", "Create regular backups of the website files and database to recover from accidental deletions.", "Set restrictive file permissions on the server, ensuring the web server user cannot delete critical configuration files.", "Monitor the web server access logs for suspicious file deletion requests and investigate any anomalies promptly."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion via Path Traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the designingmedia Instant\u202fVA WordPress theme, from the earliest known release through version\u202f1.0.1. All installations running 1.0.1 or any earlier build are potentially vulnerable. The issue does not apply to later versions released after 1.0.1, assuming the patch has been applied.", "description_and_impact": "An attacker can exploit a path traversal flaw in the designingmedia Instant\u202fVA theme to delete arbitrary files from the server. The vulnerability allows the theme to resolve file paths outside its intended directory, resulting in the removal of critical website files such as configuration or content files, potentially leading to site downtime or loss of data. The weakness is a classic Path Traversal (CWE\u201122) that primarily affects the availability of the affected WordPress site and does not directly grant code execution. The impact is limited to file deletion but can have significant operational consequences. Based on the description, an attacker could craft a request that manipulates the file path to target undesired files.", "risk_and_exploitability": "The CVSS score of 7.7 classifies the flaw as high severity. The EPSS score of less than 1\u202f% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an HTTP request that provides a crafted file path parameter, so the exploit is web\u2011based. Though the probability of attack is low, the destructive nature of arbitrary file deletion warrants a prompt response."}}}}, "created": "2026-03-25T21:34:40.101578+00:00", "updated": "2026-03-27T09:46:23.071417+00:00", "vendors": ["designingmedia", "designingmedia$PRODUCT$instant_va", "wordpress", "wordpress$PRODUCT$wordpress"]}