{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31913", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-10T10:59:45.898Z", "datePublished": "2026-03-25T16:14:56.717Z", "dateUpdated": "2026-03-25T16:14:56.717Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "scape", "product": "Scape", "vendor": "Whitebox-Studio", "versions": [{"changes": [{"at": "1.5.16", "status": "unaffected"}], "lessThanOrEqual": "< 1.5.16", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.177Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.<p>This issue affects Scape: from n/a through < 1.5.16.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:56.717Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-16-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "title": "WordPress Scape theme < 1.5.16 - Arbitrary File Deletion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16."}], "id": "CVE-2026-31913", "lastModified": "2026-03-25T17:16:58.517", "metrics": {}, "published": "2026-03-25T17:16:58.517", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-16-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:39:46.546252+00:00", "value": {"mitigation_remediation": ["Upgrade the Scape theme to version 1.5.16 or later."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion via Path Traversal"}, "threat_synthesis": {"affected_systems": "All deployments of the Whitebox\u2011Studio Scape theme with a version number less than 1.5.16 are impacted. Users running the theme on any WordPress installation, regardless of the server OS, are considered affected, as the vulnerability is tied solely to the theme code rather than the underlying platform.", "description_and_impact": "The whitebox\u2011studio Scape WordPress theme contains an improper limitation of pathname handling, which allows attackers to craft requests that perform path traversal. This flaw enables the deletion of any file within the server\u2019s filesystem that is reachable through the web application, effectively removing website content, configuration files, or potentially other critical server files. The result is a loss of data integrity, potential service disruption, and a clear path to further compromise if the attacker can influence the site\u2019s ability to run code or modify configuration.", "risk_and_exploitability": "No CVSS score is supplied and the EPSS score is unavailable, making precise numerical risk assessment difficult. The lack of a KEV listing indicates that no publicly known exploits have been reported, yet the high-impact nature of arbitrary file deletion suggests that the vulnerability carries a serious risk. Attackers can likely trigger the issue by sending crafted URLs or form submissions that exploit the traversal logic, and the ability to delete critical files could lead to a complete denial of service or facilitate later code execution. The probable attack vector is remote via the web interface, given the theme\u2019s integration with WordPress's content rendering endpoints."}}}}, "created": "2026-03-25T21:43:49.025904+00:00", "updated": "2026-03-25T21:43:49.025932+00:00", "vendors": []}