CVE-2026-31913
Published: 25 March 2026
Summary
CVE-2026-31913 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the path traversal vulnerability by patching the Scape theme to version 1.5.16 or later, eliminating the arbitrary file deletion capability.
Validates pathname inputs to the Scape theme to properly limit access to restricted directories and block traversal sequences like '../'.
Monitors software and file integrity to detect unauthorized deletions of critical files resulting from path traversal exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing WordPress theme path traversal (CWE-22) directly enables remote unauthenticated exploitation of a web application (T1190) and provides the capability for arbitrary file deletion, which facilitates data destruction for DoS impact (T1485) as well as targeted file deletion for indicator removal (T1070.004).
NVD Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.
Deeper analysisAI
CVE-2026-31913 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified as CWE-22 (Path Traversal), affecting the Scape WordPress theme developed by Whitebox Studio. The issue impacts all versions of Scape prior to 1.5.16, enabling attackers to traverse restricted directories. It carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), indicating high severity due to its potential for significant availability disruption without requiring authentication or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity. By leveraging the path traversal flaw, they can achieve arbitrary file deletion on the targeted WordPress site, resulting in denial-of-service conditions through the destruction of critical files.
Patchstack advisories detail the vulnerability as an arbitrary file deletion issue in the Scape theme and recommend updating to version 1.5.16 or later, where the path traversal limitation has been fixed. No workarounds are specified in the available references.
Details
- CWE(s)