{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14037", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T15:10:01.266Z", "datePublished": "2026-03-21T03:26:55.620Z", "dateUpdated": "2026-04-08T17:06:36.398Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:36.398Z"}, "affected": [{"vendor": "invelity", "product": "Invelity Product Feeds", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link."}], "title": "Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79d-702fd6be9cfa?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/admin/classPluginSettingsManageFeedPage.php?marks=60#L60"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-12T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-03-20T15:21:04.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T13:51:54.134445Z", "id": "CVE-2025-14037", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:52:05.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14037", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T13:51:54.134445Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T13:51:59.657Z"}}], "cna": {"title": "Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H"}}], "affected": [{"vendor": "invelity", "product": "Invelity Product Feeds", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-12T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-03-20T15:21:04.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79d-702fd6be9cfa?source=cve"}, {"url": "http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/admin/classPluginSettingsManageFeedPage.php?marks=60#L60"}], "descriptions": [{"lang": "en", "value": "The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:36.398Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14037", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:36.398Z", "dateReserved": "2025-12-04T15:10:01.266Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:55.620Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link."}, {"lang": "es", "value": "El plugin Invelity Product Feeds para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos mediante salto de ruta en todas las versiones hasta e incluyendo la 1.2.6. Esto se debe a la falta de validaci\u00f3n y saneamiento en la funci\u00f3n 'createManageFeedPage'. Esto hace posible que atacantes autenticados con nivel de administrador eliminen archivos arbitrarios en el servidor mediante solicitudes especialmente dise\u00f1adas que incluyen secuencias de salto de ruta, siempre que puedan enga\u00f1ar a un administrador para que haga clic en un enlace malicioso."}], "id": "CVE-2025-14037", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 5.8, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:51.263", "references": [{"source": "security@wordfence.com", "url": "http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/admin/classPluginSettingsManageFeedPage.php?marks=60#L60"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79d-702fd6be9cfa?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Invelity Product Feeds", "source": "cna", "vendor": "invelity"}, "product": "invelity_product_feeds", "vendor": "invelity"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:35:58.785915+00:00", "value": {"mitigation_remediation": ["Update the Invelity Product Feeds plugin to a version newer than 1.2.6 so the path validation bug is fixed."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "All installations of the Invelity Product Feeds plugin for WordPress up to and including version\u202f1.2.6 are affected. The vulnerability applies to users with administrator privileges, the minimum authority required to trigger the deletion action.", "description_and_impact": "A flaw in the Invelity Product Feeds WordPress plugin allows authenticated administrators to delete arbitrary files on the server. The weakness is a Cross\u2011Site Request Forgery (CWE\u2011352) that arises from missing validation in the createManageFeedPage function, enabling path traversal sequences to reach any file path. When an administrator unknowingly submits a crafted request\u2014such as clicking a malicious link\u2014the plugin deletes the target file, compromising site integrity and potentially causing defacement or downtime.", "risk_and_exploitability": "The issue carries a high CVSS score of 8.1, reflecting significant potential impact. No EPSS data is available and it is not listed in the CISA KEV catalog, suggesting limited public exploitation at present. However, exploitation requires only that an administrator process a malicious request, making the attack path straightforward for an authenticated attacker. The primary risk stems from the possibility of an admin unintentionally triggering file deletions, leading to data loss, service interruption, and costly recovery effort."}}}}, "created": "2026-03-23T09:50:14.065086+00:00", "updated": "2026-03-25T14:41:55.186571+00:00", "vendors": ["invelity", "invelity$PRODUCT$invelity_product_feeds", "wordpress", "wordpress$PRODUCT$wordpress"]}