{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31913", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-10T10:59:45.898Z", "datePublished": "2026-03-25T16:14:56.717Z", "dateUpdated": "2026-04-29T09:51:57.206Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "scape", "product": "Scape", "vendor": "Whitebox-Studio", "versions": [{"changes": [{"at": "1.5.16", "status": "unaffected"}], "lessThanOrEqual": "< 1.5.16", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.177Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.<p>This issue affects Scape: from n/a through < 1.5.16.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.206Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-16-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Scape theme < 1.5.16 - Arbitrary File Deletion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:21:13.347331Z", "id": "CVE-2026-31913", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:21:17.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-31913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:21:13.347331Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:20:52.004Z"}}], "cna": {"title": "WordPress Scape theme < 1.5.16 - Arbitrary File Deletion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Whitebox-Studio", "product": "Scape", "versions": [{"status": "affected", "changes": [{"at": "1.5.16", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.5.16"}], "packageName": "scape", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:37.177Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-16-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.<p>This issue affects Scape: from n/a through < 1.5.16.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.206Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31913", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:57.206Z", "dateReserved": "2026-03-10T10:59:45.898Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:56.717Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16."}, {"lang": "es", "value": "Vulnerabilidad de Limitaci\u00f3n Inadecuada de un Nombre de Ruta a un Directorio Restringido ('Salto de Ruta') en Whitebox-Studio Scape scape permite el Salto de Ruta. Este problema afecta a Scape: desde n/d hasta &lt; 1.5.16."}], "id": "CVE-2026-31913", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:58.517", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-16-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Scape", "source": "cna", "vendor": "Whitebox-Studio"}, "product": "scape", "vendor": "whitebox-studio"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T16:53:21.057006+00:00", "value": {"mitigation_remediation": ["Apply the latest update to the Scape theme (v1.5.16 or later).", "If an update is not immediately possible, disable or remove the Scape theme from the WordPress installation to prevent the path traversal from being triggered."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "Whitebox-Studio Scape theme distributed as part of WordPress sites. All installations of the Scape theme with versions prior to 1.5.16 are affected. No additional vendor or product scope is identified beyond the theme itself.", "description_and_impact": "Improper Limitation of a Pathname to a Restricted Directory allows a path traversal condition that can lead to arbitrary deletion of files within the WordPress installation. The vulnerability permits a malicious actor to specify a file path that escapes the intended directory boundary, causing the Scape theme code to delete the target file. This can compromise site integrity, remove critical content or configuration files, and result in a denial of service. The weakness is catalogued as CWE-22.", "risk_and_exploitability": "The CVSS base score of 8.6 indicates a high severity vulnerability. EPSS indicates a low probability of widespread exploitation, and the issue is not listed in CISA\u2019s KEV catalog, suggesting it has not been actively exploited in the wild. The likely attack vector is remote, achieved via HTTP requests to the WordPress site that invoke the vulnerable theme functionality. Exploitation would require successful path traversal and file deletion, though authentication requirements are not specified in the available description. Given these factors, the overall risk remains high but exploitation effort is likely low to moderate."}}}}, "created": "2026-03-25T21:43:49.025904+00:00", "updated": "2026-03-27T09:31:16.613030+00:00", "vendors": ["whitebox-studio", "whitebox-studio$PRODUCT$scape", "wordpress", "wordpress$PRODUCT$wordpress"]}