{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14997", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-20T13:26:29.814Z", "datePublished": "2026-01-06T04:31:57.046Z", "dateUpdated": "2026-04-08T17:05:31.387Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:31.387Z"}, "affected": [{"vendor": "buddydev", "product": "BuddyPress Xprofile Custom Field Types", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sarawut Poolkhet"}], "timeline": [{"time": "2026-01-05T16:27:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:56:51.111876Z", "id": "CVE-2025-14997", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:57:03.517Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14997", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T14:56:51.111876Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:56:56.540Z"}}], "cna": {"title": "BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Sarawut Poolkhet"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "buddydev", "product": "BuddyPress Xprofile Custom Field Types", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-05T16:27:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types"}], "descriptions": [{"lang": "en", "value": "The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:31.387Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14997", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:31.387Z", "dateReserved": "2025-12-20T13:26:29.814Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T04:31:57.046Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "id": "CVE-2025-14997", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-01-06T05:16:03.437", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be8eb7bf5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:07:27.760472+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest BuddyPress Xprofile Custom Field Types release that corrects the delete_field path validation flaw.", "If an upgrade is not feasible, uninstall the plugin to remove the delete capability.", "After the update or removal, enforce strict file\u2011system permissions or apply server\u2011side restrictions (such as open_basedir or .htaccess deny rules) so the web server cannot write to sensitive files like wp\u2011config.php, thereby mitigating the risk of accidental or malicious deletion."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion with potential remote code execution"}, "threat_synthesis": {"affected_systems": "This issue affects every installation of BuddyPress Xprofile Custom Field Types up to and including version 1.2.8. The plugin is a WordPress add\u2011on, so any WordPress site using those versions is impacted. No other products are referenced.", "description_and_impact": "The BuddyPress Xprofile Custom Field Types plugin contains a flaw in the delete_field function that does not properly validate the file path. An attacker who can log in with any role of Subscriber or higher can supply an arbitrary path and trigger deletion. Removing critical files such as wp-config.php can give the attacker a foothold for remote code execution, or lead to site compromise. The vulnerability arises from insufficient path validation, classified as a path traversal defect.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity; the EPSS score of less than 1% means current exploitation probability is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attacker must be authenticated and have at least Subscriber permissions, which is commonly granted to many users on a site. Once authenticated, the attacker can send a request to the plugin\u2019s delete endpoint with a crafted file path and cause deletion of any file the web server process can write to."}}}}, "created": "2026-01-06T14:15:59.219609+00:00", "updated": "2026-04-22T00:15:03.769806+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}