Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27400

CVE-2026-27400: BookPro Path Traversal Vulnerability

CVE-2026-27400 is a path traversal vulnerability in BookPro versions 1.1.0 and earlier, enabling unauthenticated arbitrary file deletion. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-27400 Overview

CVE-2026-27400 is an unauthenticated arbitrary file deletion vulnerability in the WordPress BookPro plugin (ovabookpro) affecting versions up to and including 1.1.0. The flaw maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and allows remote attackers to delete arbitrary files on the underlying server without authentication. Deleting critical files such as wp-config.php can force WordPress into a setup state, enabling site takeover. The vulnerability is network-exploitable with low complexity and no user interaction.

Critical Impact

Unauthenticated remote attackers can delete arbitrary files on the host, leading to denial of service and potential site takeover when configuration files such as wp-config.php are removed.

Affected Products

  • WordPress plugin BookPro (ovabookpro) versions <= 1.1.0
  • WordPress sites with the BookPro plugin installed and enabled
  • Hosting environments where the WordPress process owns plugin-accessible files

Discovery Timeline

  • 2026-06-17 - CVE-2026-27400 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-27400

Vulnerability Analysis

The BookPro plugin exposes functionality that accepts a file path parameter and removes the referenced file. The handler is reachable without authentication and does not validate that the supplied path resolves to an expected directory. An attacker supplies a traversal sequence such as ../../../../wp-config.php to escape the plugin directory and remove files elsewhere on the filesystem. Deletion of WordPress core files like wp-config.php reverts the site to the installation wizard, allowing an attacker who reaches the site first to point WordPress at an attacker-controlled database and gain administrator access. The Patchstack advisory categorizes the issue as arbitrary file deletion through path traversal.

Root Cause

The root cause is missing path validation and missing authentication on a file-handling endpoint within the BookPro plugin. User-controlled input is concatenated into a filesystem path and passed to a delete routine without canonicalization, allowlisting, or capability checks. The plugin trusts request input for file location selection.

Attack Vector

Exploitation occurs over the network against the WordPress HTTP interface. An unauthenticated attacker issues a crafted request to the vulnerable plugin endpoint with a path traversal payload in the targeted parameter. No user interaction is required, and the scope is changed because the deleted files belong to the WordPress installation rather than the plugin itself.

No verified public proof-of-concept code is available at the time of writing. Refer to the Patchstack Vulnerability Report for advisory-level technical detail.

Detection Methods for CVE-2026-27400

Indicators of Compromise

  • Unexpected absence of WordPress core files such as wp-config.php, .htaccess, or index.php on sites running BookPro.
  • WordPress unexpectedly displaying the /wp-admin/install.php setup screen to visitors.
  • HTTP requests to BookPro plugin endpoints containing path traversal sequences such as ../ or URL-encoded variants %2e%2e%2f.
  • Web server access logs showing unauthenticated POST or GET requests to wp-content/plugins/ovabookpro/ handlers from a single source in rapid succession.

Detection Strategies

  • Inspect web server and WAF logs for requests targeting BookPro plugin paths that include directory traversal patterns in query or body parameters.
  • File integrity monitoring on WordPress installations to alert on deletion of core files, plugin files, and uploaded media.
  • Audit installed plugin versions across WordPress estates and flag any instance of BookPro at <= 1.1.0.

Monitoring Recommendations

  • Forward web server, PHP error, and WordPress audit logs to a centralized logging platform for retention and correlation.
  • Alert on HTTP 200 responses to plugin endpoints followed by filesystem unlink operations against paths outside the plugin directory.
  • Track sudden spikes in 5xx errors or installer redirects, which can indicate post-deletion site breakage.

How to Mitigate CVE-2026-27400

Immediate Actions Required

  • Deactivate the BookPro plugin until a patched release is installed.
  • Restrict access to wp-content/plugins/ovabookpro/ at the web server or WAF layer while remediation is in progress.
  • Back up wp-config.php, .htaccess, and the WordPress database before any further changes.
  • Verify the integrity of WordPress core files using checksums and restore any missing files from a known-good backup.

Patch Information

The vendor advisory tracked by Patchstack identifies BookPro versions <= 1.1.0 as vulnerable. Administrators should upgrade to a fixed release as published by the plugin vendor. Consult the Patchstack Vulnerability Report for the current fixed version reference.

Workarounds

  • Block requests to BookPro endpoints containing ../, ..\\, or URL-encoded traversal sequences using a web application firewall rule.
  • Remove write and delete permissions from the web server user on directories outside wp-content/uploads/ where feasible.
  • Place wp-config.php one directory above the WordPress webroot so traversal from the plugin directory cannot reach it through expected relative paths.
bash
# Example ModSecurity rule to block path traversal in BookPro requests
SecRule REQUEST_URI "@contains /wp-content/plugins/ovabookpro/" \
    "id:1027400,phase:2,deny,status:403,log,\
     msg:'CVE-2026-27400 BookPro path traversal attempt',\
     chain"
    SecRule ARGS|REQUEST_BODY "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)" \
        "t:none,t:lowercase,t:urlDecodeUni"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.