Meta Box < 5.11.2 – Contributor+ Arbitrary File Deletion | CVE 2025-14675 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Fixed in 5.11.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/036467de-95bb-4bfd-9522-df8dc17f3102

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

JongHwan Shin (zzzsleep)

Verified

No

WPVDB ID

89de743a-4179-42b6-a7e5-28832004383c

Timeline

Publicly Published

2026-03-06 (about 2 months ago)

Added

2026-03-07 (about 2 months ago)

Last Updated

2026-03-07 (about 2 months ago)

Other

Published

Title

Published

2024-12-05

Title

Swift Performance Lite < 2.3.7.2 - Unauthenticated Local PHP File Inclusion via 'ajaxify'

Published

2026-02-16

Title

Open User Map < 1.4.17 - Authenticated (Subscriber+) Arbitrary File Download

Published

2025-08-11

Title

WooCommerce Purchase Orders < 1.0.3 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-03-19

Title

Order Export & Order Import for WooCommerce < 2.6.1 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function

Published

2016-05-24

Title

WP Fastest Cache <= 0.8.5.7 - Local File Inclusion (LFI)