Attack Vectors

CVE-2026-24970 affects the Energox | EV Charging Station WordPress Theme (theme slug: energox) in versions up to and including 1.2. This is a High severity issue (CVSS 8.1, vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), meaning an attacker can exploit it over the internet with low complexity once they have a basic logged-in account.

The key risk is that the attacker only needs Subscriber-level access (or higher). In many organizations, Subscriber accounts exist for newsletters, gated content, event registration, partner portals, or internal stakeholders—so the practical exposure can be broader than “admins only.”

Official record: https://www.cve.org/CVERecord?id=CVE-2026-24970

Security Weakness

The vulnerability is an authenticated arbitrary file deletion issue caused by insufficient file path validation. In plain terms, the theme does not adequately restrict which file paths a logged-in user is allowed to target for deletion.

Because of this weakness, an authenticated attacker can potentially delete arbitrary files on the server. The original advisory notes this can “easily lead to remote code execution when the right file is deleted (such as wp-config.php),” turning what might look like “just deletion” into a pathway to full site takeover.

Source advisory: Wordfence Threat Intel entry

Technical or Business Impacts

Website outage and revenue loss: Deleting critical WordPress files can break the site immediately, impacting campaign landing pages, lead capture forms, ecommerce transactions, and customer support channels.

Site takeover risk: If key files are deleted (for example wp-config.php), the resulting behavior can enable follow-on compromise scenarios that may lead to remote code execution and persistent attacker access.

Brand and compliance exposure: Downtime, defacement, or malware warnings can damage brand trust and marketing performance. If an incident expands into unauthorized access or data handling concerns, it can trigger contractual notifications, regulatory scrutiny, and increased costs for forensics and remediation.

Remediation: Update Energox to version 1.3 or a newer patched version. As a business control, also review who can register for accounts, remove unused Subscriber accounts, and ensure monitoring/alerting is in place for unexpected file changes and outages.

Similar Attacks

While not identical, the following widely documented WordPress-related incidents show how theme/plugin weaknesses can quickly escalate into large-scale compromise and business disruption:

CVE-2020-25213 (WP File Manager) — a heavily exploited flaw that enabled attackers to place malicious files and take control of sites.
CVE-2014-9734 (Slider Revolution / RevSlider) — a high-impact WordPress component issue that was widely abused and contributed to large numbers of compromised websites.