{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7846", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T20:19:32.220Z", "datePublished": "2025-10-31T06:42:56.125Z", "dateUpdated": "2026-04-08T17:21:11.387Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:11.387Z"}, "affected": [{"vendor": "vanquish", "product": "WordPress User Extra Fields", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "16.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "WordPress User Extra Fields <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve"}, {"url": "https://codecanyon.net/item/user-extra-fields/12949844"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-36 Absolute Path Traversal", "cweId": "CWE-36", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "timeline": [{"time": "2025-10-30T18:34:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-31T14:26:00.687807Z", "id": "CVE-2025-7846", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T14:26:13.340Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7846", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-31T14:26:00.687807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-31T14:26:07.053Z"}}], "cna": {"title": "WordPress User Extra Fields <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function", "credits": [{"lang": "en", "type": "finder", "value": "Tonn"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "vanquish", "product": "WordPress User Extra Fields", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "16.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-30T18:34:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve"}, {"url": "https://codecanyon.net/item/user-extra-fields/12949844"}], "descriptions": [{"lang": "en", "value": "The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:11.387Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7846", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:21:11.387Z", "dateReserved": "2025-07-18T20:19:32.220Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-31T06:42:56.125Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "id": "CVE-2025-7846", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-31T07:15:38.507", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/user-extra-fields/12949844"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-36"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:07:10.184637+00:00", "value": {"mitigation_remediation": ["Upgrade WordPress User Extra Fields to the latest version (\u226516.8) available from the plugin author", "If an upgrade cannot be performed immediately, remove the plugin entirely to eliminate the attack vector", "Adjust WordPress role permissions so that subscribers and lower roles cannot invoke the save_fields functionality, restricting the feature to administrators only", "Verify the site\u2019s file integrity and restore any accidental deletions of critical files after remediation"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary file deletion that can lead to remote code execution"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress User Extra Fields plugin released by Vanquish, up to and including version 16.7, are affected.", "description_and_impact": "The WordPress User Extra Fields plugin contains an insufficient file path validation flaw in its save_fields() function that allows authenticated users with Subscriber\u2011level access or higher to delete arbitrary files on the server. This flaw is a Path Traversal issue (CWE\u201136). Removing critical configuration files such as wp-config.php can give attackers direct control over the WordPress installation, effectively turning the vulnerability into a remote code execution risk.", "risk_and_exploitability": "The vulnerability scores a CVSS of 8.8, indicating high severity, while the EPSS below 1% suggests a low likelihood that it has been widely exploited to date. Although not listed in the CISA KEV catalog, an attacker would need only authenticated access with a Subscriber role or higher, making the exploitation pathway relatively simple if the plugin is in use. The weakness permits deletion of any user\u2011supplied file path, providing a potential pivot point for executing code on the host."}}}}, "created": "2025-11-03T10:44:59.907373+00:00", "updated": "2026-04-20T19:15:15.045576+00:00", "vendors": ["vanquish", "vanquish$PRODUCT$wordpress_user_extra_fields", "wordpress", "wordpress$PRODUCT$wordpress"]}