Security Alert Summary
The Eleganzo theme for WordPress contains a vulnerability that allows authenticated users with Subscriber-level access and above to delete arbitrary directories on the server due to insufficient path validation. This behavior is triggered by the theme callback responsible for required plugin handling and can affect site files up to and including the WordPress root directory.
CVE Details
- CVE ID: CVE-2025-15470
- Affected component: Eleganzo theme for WordPress
- Affected versions: All versions up to, and including, 1.2
- Published: April 15, 2026 at 04:17:20 AM
- Last modified: April 15, 2026 at 04:17:20 AM
- CVSS v3.1: Base score 6.5, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Authentication / privileges / user interaction: Requires an authenticated user with low privileges (PR:L). No user interaction required (UI:N). The description specifies Subscriber-level access and above can exploit this behavior.
- Impact (CIA): Confidentiality: None; Integrity: High; Availability: None
- Weakness: CWE-22 (Path Traversal)
Technical Details
The vulnerability exists in the akd_required_plugin_callback function of the Eleganzo theme. Insufficient path validation in that callback allows an authenticated user with Subscriber-level access or higher to delete arbitrary directories on the server. The underlying issue is a failure to correctly validate or sanitize file system paths before performing deletion operations, which enables directory traversal or direct deletion of unintended filesystem locations.
The practical impact, as reported, is the ability to remove directories on the server, including the WordPress root directory. This represents a loss of integrity for site files and can result in deleted or tampered theme, plugin, or content files. The description and CVSS data do not indicate a confidentiality impact from this flaw, and no additional vulnerable endpoints or functions are named beyond the callback above.
How This Could Impact Your Website
Consider a WordPress site with a site owner, internal staff (editors or contributors), and an external contractor who holds Subscriber-level access for commenting or limited tasks. If any of those accounts are used to trigger the vulnerable callback, an attacker could delete directories that contain theme files, plugin files, or media. The immediate consequence is corruption or loss of site files and the need to restore from backups or rebuild affected components. While the CVSS rating indicates confidentiality impact is none, the deletion of files can disrupt workflows, remove customizations, and increase recovery effort.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected theme as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially accounts with Subscriber-level access and above.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained themes and plugins from the site.
- Monitor site activity and file changes for unusual behavior and maintain recent backups to enable recovery.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
