CVE-2026-27400: WordPress BookPro plugin <= 1.1.0 - Arbitrary File Deletion vulnerability
Unauthenticated Arbitrary File Deletion in BookPro <= 1.1.0 versions.
Metrics
- CVSS v3.1
- 8.6
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated arbitrary file deletion vulnerability affects the BookPro WordPress plugin by Ovatheme in versions 1.1.0 and earlier. The flaw is reachable over the network with no credentials required, meaning any internet-connected WordPress site running this plugin is exposed without any login barrier. Successful exploitation lets an attacker delete arbitrary files on the server, which can crash the site, corrupt application state, or trigger complete service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-27400 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the BookPro plugin alongside a WordPress base image.
AvailableHarborGuard scores this CVE at 8.6 HIGH (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to reflect their actual exposure. Triage routing is available to direct findings to the correct team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published for CVE-2026-27400 as of the publication date. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Ovatheme publishes a remediated release of BookPro.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable service must be reachable over the network; any internet-facing WordPress installation running this plugin is directly exposed.
- AuthenticationNot required
No credentials or account of any privilege level are needed to trigger the file deletion.
- Victim interactionNot required
The attack is fully automated and requires no action from a site administrator or any other user.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are required.
Blast Radius
- An attacker deletes arbitrary files on the server, including WordPress core files, configuration files, or uploaded content.
- Deleting critical files such as wp-config.php or index.php crashes the site and causes a complete loss of availability.
- Removal of configuration or credential files may expose sensitive data stored in those files before deletion takes full effect.
- Repeated or targeted file deletion can render the application unrecoverable without a full restore from backup.
How HarborGuard Handles This
Available on HarborGuard: scanning for CVE-2026-27400 is active across all connected registries and pipelines, with findings surfaced and routed according to each environment's compliance policy. Because no upstream fix exists yet, HarborGuard monitors the Patchstack advisory and the Ovatheme release channel on every ingest cycle. In the interim, compensating controls worth considering include network-policy rules that restrict inbound HTTP access to trusted IP ranges where operationally feasible, web application firewall rules targeting the vulnerable plugin endpoint, and disabling or removing the BookPro plugin from the WordPress installation until a patch is available. For customers with auto-remediation enabled, a patched rebuild and regression run will be triggered automatically and a pull request will be opened against affected workloads as soon as an upstream fix version is published.
- Ovatheme / BookPro≤ 1.1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H