Platform
wordpress
Component
eleganzo
Fixed in
1.2.1
1.3
CVE-2025-15470 is a medium-severity vulnerability affecting the Eleganzo WordPress theme. It allows authenticated users (Subscriber level and above) to delete arbitrary directories on the server due to insufficient path validation. This vulnerability impacts versions up to 1.2 and is resolved in version 1.3. Users are advised to upgrade immediately.
The arbitrary directory deletion capability presents a significant risk. An attacker with Subscriber access or higher can leverage this vulnerability to delete critical system files, including the WordPress installation itself and potentially other application data residing on the server. Successful exploitation could lead to a complete compromise of the web server, data exfiltration, and denial of service. The ability to delete the WordPress root directory is particularly concerning, as it effectively wipes out the entire website and associated database connection information. This vulnerability highlights the importance of robust input validation and access controls within WordPress themes.
The vulnerability was published on 2026-04-15. Currently, there are no publicly available exploits or active campaigns targeting CVE-2025-15470. The vulnerability's severity is medium, indicating a reasonable probability of exploitation if left unpatched, especially given the ease of access for authenticated users. Monitor WordPress security forums and vulnerability databases for any emerging threats.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade the Eleganzo WordPress theme to version 1.3 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider restricting file system access for WordPress users with Subscriber roles. Implement a Web Application Firewall (WAF) with rules to block requests containing suspicious directory traversal sequences. Regularly review WordPress plugin and theme permissions to ensure they adhere to the principle of least privilege. After upgrading, verify the integrity of the WordPress installation by checking for any unexpected file deletions or modifications.
Update to version 1.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15470 is a medium-severity vulnerability in the Eleganzo WordPress theme that allows authenticated users to delete arbitrary directories on the server, potentially leading to complete compromise.
You are affected if you are using the Eleganzo WordPress theme version 1.2 or earlier. Upgrade to version 1.3 to mitigate the risk.
Upgrade the Eleganzo WordPress theme to version 1.3 or later. As a temporary workaround, restrict file system access for WordPress users with Subscriber roles.
Currently, there are no publicly known active campaigns exploiting CVE-2025-15470, but the vulnerability's severity warrants prompt patching.
Refer to the Eleganzo theme developer's website or the WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.