WordPress Plugin Vulnerabilities

BuddyPress Xprofile Custom Field Types < 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion

Description

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
bp-xprofile-custom-field-types
Fixed in 1.3.0

References

CVE
CVE-2025-14997
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Sarawut Poolkhet (MisterHelloz)
Verified
No
WPVDB ID
b67ec153-9697-4370-ae56-78b3733fe71a

Timeline

Publicly Published
2026-01-05 (about 4 months ago)
Added
2026-01-05 (about 4 months ago)
Last Updated
2026-03-24 (about 2 months ago)

Other

Published
Title
Published
2024-12-05
Title
DELUCKS SEO <= 2.7.0 - Subscriber+ Arbitrary File Read
Published
2015-02-11
Title
WordPress Slider Revolution - Local File Disclosure
Published
2015-01-15
Title
GI-Media Library < 3.0 - Arbitrary File Download
Published
2025-08-24
Title
Custom Query Shortcode < 0.5.0 - Authenticated (Contributor+) Path Traversal via lens Parameter
Published
2025-03-29
Title
Smush Image Compression and Optimization < 3.17.1 - Admin+ Directory Traversal