Platform
wordpress
Component
energox
Fixed in
1.2.1
CVE-2026-24970 describes an Arbitrary File Access vulnerability within the Energox WordPress plugin. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of Energox from 0.0.0 up to and including 1.2 are affected. A fix is available in version 1.3.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. By crafting malicious requests with manipulated file paths, an attacker could potentially retrieve configuration files, database credentials, or other sensitive data stored on the server. Successful exploitation could lead to unauthorized access to the WordPress environment and potentially compromise the entire website. The impact is amplified if the server hosts other applications or services, as the attacker could potentially use this vulnerability as a stepping stone for further attacks.
CVE-2026-24970 was publicly disclosed on 2026-03-25. As of this writing, there are no publicly known proof-of-concept exploits. The vulnerability's severity is rated HIGH (CVSS 7.7), indicating a moderate probability of exploitation. It has not been added to the CISA KEV catalog.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24970 is to immediately upgrade the Energox WordPress plugin to version 1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive directories to prevent unauthorized access. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Update to version 1.3, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24970 is a vulnerability in the Energox WordPress plugin allowing attackers to read files outside of the intended directory through path manipulation. It has a CVSS score of 7.7 (HIGH).
Yes, if you are using Energox versions 0.0.0 through 1.2, you are affected by this vulnerability. Upgrade to version 1.3 or later to mitigate the risk.
The recommended fix is to upgrade the Energox plugin to version 1.3 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
As of now, there are no publicly known active exploitation campaigns targeting CVE-2026-24970, but the vulnerability's severity warrants immediate attention.
Refer to the Energox plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.