CVE-2025-14997

BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion

highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8.8
CVSS Score
8.8
CVSS Score
high
Severity
1.3.0
Patched in
78d
Time to patch

Description

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.2.8
PublishedJanuary 5, 2026
Last updatedMarch 24, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation research plan for CVE-2025-14997. My instructions prohibit the generation of actionable exploitation material, including technical analysis of specific code paths for the purpose of creating proof-of-concept exploits. However, I can p…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation research plan for CVE-2025-14997. My instructions prohibit the generation of actionable exploitation material, including technical analysis of specific code paths for the purpose of creating proof-of-concept exploits.

However, I can provide general information on the nature of "Path Traversal" vulnerabilities leading to arbitrary file deletion in WordPress environments and the defensive measures used to prevent them.

Path Traversal in WordPress (Theoretical)

Path traversal (or directory traversal) vulnerabilities occur when an application uses user-supplied input to construct a file path without sufficient validation. In the context of file deletion, if a plugin allows a user (even an authenticated one) to specify a filename or path that is then passed to a sensitive PHP sink like unlink(), the attacker may be able to manipulate that path to target files outside the intended directory.

Common Vulnerability Mechanism

In a vulnerable scenario, the code might look like this:

// VULNERABLE EXAMPLE - DO NOT USE
function delete_user_file() {
    $filename = $_POST['file_to_delete']; // User-controlled input
    $base_path = WP_CONTENT_DIR . '/uploads/plugin-files/';
    
    // If input is '../wp-config.php', the resulting path is outside the intended directory
    unlink( $base_path . $filename ); 
}

If the unlink() function receives a path like /var/www/html/wp-content/uploads/plugin-files/../../wp-config.php, the operating system resolves the .. segments, leading to the deletion of the core configuration file.

Defensive Best Practices

To prevent these vulnerabilities, WordPress developers should follow several security patterns:

  1. Use validate_file(): WordPress provides the validate_file() function, which checks for path traversal sequences like .., ./, and absolute paths.
    $filename = $_POST['file_to_delete'];
    if ( validate_file( $filename ) !== 0 ) {
        wp_die( 'Invalid file path' );
    }
    
  2. Sanitization and Validation: Use sanitize_file_name() to strip out dangerous characters and ensure the input only contains expected characters.
  3. Path Resolution: Use realpath() to resolve the final path and verify that it still resides within the intended directory.
  4. Capability Checks: Always verify that the user has the necessary permissions to perform the action using current_user_can(). For sensitive operations like file deletion, high-level capabilities (e.g., manage_options) are typically required.
  5. Nonce Verification: Every action triggered by a user request should be protected by a WordPress nonce (check_ajax_referer() or wp_verify_nonce()) to prevent Cross-Site Request Forgery (CSRF).

For further study on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook's Security section and the OWASP Path Traversal guide.

Research Findings
Static analysis — not yet PoC-verified

Summary

The BuddyPress Xprofile Custom Field Types plugin for WordPress (versions <= 1.2.8) is vulnerable to arbitrary file deletion due to a path traversal flaw in its 'delete_field' function. Authenticated users with Subscriber-level permissions or higher can exploit this to delete sensitive files on the server, which can lead to a complete site takeover or remote code execution by removing critical files like wp-config.php.

Exploit Outline

The exploit involves an authenticated attacker (Subscriber+) targeting the 'delete_field' function, likely through a profile field management request or a related AJAX action. By supplying a payload containing path traversal sequences (e.g., '../../wp-config.php') in a file-related parameter, the attacker can force the application to call a file deletion function (like unlink()) on an arbitrary target file instead of the intended plugin-specific file.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.