{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5014", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-20T16:58:26.942Z", "datePublished": "2025-07-02T03:47:25.367Z", "dateUpdated": "2026-04-08T17:15:41.151Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:41.151Z"}, "affected": [{"vendor": "Chimp Group", "product": "Home Villas | Real Estate WordPress Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afd4f2ca-9c27-4de0-ac82-3cd107b6a092?source=cve"}, {"url": "http://localhost:1337/wp-content/themes/homevillas-real-estate/include/backend/cs-widgets/import/cs-class-widget-data.php#L384"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "timeline": [{"time": "2025-07-01T14:57:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-02T13:00:23.519247Z", "id": "CVE-2025-5014", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:15:00.600Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5014", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-02T13:00:23.519247Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-02T13:05:20.405Z"}}], "cna": {"title": "Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Th\u00e1i An"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Chimp Group", "product": "Home Villas | Real Estate WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-01T14:57:19.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afd4f2ca-9c27-4de0-ac82-3cd107b6a092?source=cve"}, {"url": "http://localhost:1337/wp-content/themes/homevillas-real-estate/include/backend/cs-widgets/import/cs-class-widget-data.php#L384"}], "descriptions": [{"lang": "en", "value": "The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:41.151Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5014", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:41.151Z", "dateReserved": "2025-05-20T16:58:26.942Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-02T03:47:25.367Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El tema Home Villas | Real Estate WordPress Theme para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n 'wp_rem_cs_widget_file_delete' en todas las versiones hasta la 2.8 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-5014", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-02T04:15:56.833", "references": [{"source": "security@wordfence.com", "url": "http://localhost:1337/wp-content/themes/homevillas-real-estate/include/backend/cs-widgets/import/cs-class-widget-data.php#L384"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afd4f2ca-9c27-4de0-ac82-3cd107b6a092?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T22:43:57.958692+00:00", "value": {"mitigation_remediation": ["Upgrade the Home Villas theme to a version newer than 2.8 that removes the vulnerable file deletion function.", "If an upgrade is not feasible, revoke or remove the wp_rem_cs_widget_file_delete functionality from the theme, for example by disabling or commenting out the function in the theme files, thereby preventing authenticated users from executing it.", "Apply stricter file system permissions and enforce path validation by ensuring that any file deletion code checks the full canonical path against a whitelist of allowed directories before performing the operation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to the Chimp Group Home Villas Real Estate WordPress Theme in all releases up to and including version 2.8. Any WordPress installation using these theme files is affected.", "description_and_impact": "The Home Villas WordPress theme contains a flaw in the wp_rem_cs_widget_file_delete function that performs insufficient file path validation. This permits an attacker with authenticated Subscriber\u2011level or higher access to delete arbitrary files on the web server, exposing the victim to the possibility of remote code execution should a critical file such as wp\u2011config.php be removed. The weakness is a path traversal issue, categorised as CWE\u201122.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this flaw as high severity, and the EPSS score of 3% indicates a moderate but non\u2011negligible likelihood of exploitation in the wild. Because the flaw requires authentication at the Subscriber level or higher, an attacker needs valid credentials but can then delete arbitrary files. The vulnerability is not currently listed in the CISA KEV catalogue, suggesting limited known exploitation, yet its impact warrants timely remediation."}}}}, "created": "2026-04-20T22:30:19.872364+00:00", "updated": "2026-04-28T22:45:25.948890+00:00", "vendors": []}