CVE-2026-27400 Ovatheme CVE debrief

Who should care

Administrators and users of the BookPro plugin, especially those using versions up to 1.1.0, should be concerned about this vulnerability. The unauthenticated arbitrary file deletion vulnerability can lead to significant security risks, including data loss and potential system compromise.

Technical summary

The CVE-2026-27400 vulnerability in the BookPro plugin allows unauthenticated attackers to delete arbitrary files. This is a high-severity issue with a CVSS score of 8.6. The vulnerability is characterized by the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. This indicates that the vulnerability can be exploited over the network (AV:N), requires low attack complexity (AC:L), and does not require any privileges (PR:N) or user interaction (UI:N). The vulnerability is classified under CWE-22, which refers to Improper Limitation of a Pathname to a Restricted Directory.

Defensive priority

High

Recommended defensive actions

• Update the BookPro plugin to a version beyond 1.1.0, if available.
• Restrict access to the BookPro plugin to only trusted users.
• Implement additional security measures, such as file access controls and monitoring.
• Regularly review and update plugins and software to prevent similar vulnerabilities.
• Consider using a Web Application Firewall (WAF) to detect and prevent attacks.
• Monitor system logs for suspicious activity related to file deletion.
• Perform regular backups to minimize data loss in case of an attack.

Evidence notes

The information provided is based on data from the National Vulnerability Database (NVD) and Patchstack. The CVE record and NVD detail pages provide official information about the vulnerability. The Patchstack reference offers mitigation details specific to the BookPro plugin.

Official resources