Plattform
wordpress
Komponente
meta-box
Behoben in
5.11.2
CVE-2025-14675 describes an arbitrary file access vulnerability discovered in the Meta Box plugin for WordPress. This flaw allows authenticated attackers, possessing Contributor-level access or higher, to delete files on the server. The most critical impact arises from the potential deletion of wp-config.php, which could lead to remote code execution. The vulnerability affects versions from 0.0.0 up to and including 5.11.1, with a fix available in version 5.11.2.
The primary impact of CVE-2025-14675 is the ability for an authenticated attacker to delete arbitrary files on a WordPress server. While requiring Contributor-level access, this is a relatively low privilege threshold, making many WordPress installations vulnerable. The most severe consequence stems from the potential deletion of the wp-config.php file. This file contains sensitive database credentials and configuration settings. Its deletion effectively disables the WordPress site and provides an attacker with a pathway to gain complete control over the server by uploading and executing malicious code. Successful exploitation could lead to data breaches, website defacement, and complete server compromise. This vulnerability shares similarities with other file deletion vulnerabilities where the attacker can manipulate file paths to target critical system files.
CVE-2025-14675 was publicly disclosed on 2026-03-07. As of this date, there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Monitor WordPress security forums and vulnerability databases for any updates regarding exploitation attempts.
WordPress websites using the Meta Box plugin, particularly those with users having Contributor-level access or higher, are at risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'ajax_delete_file' /var/www/html/wp-content/plugins/meta-box/• wordpress / composer / npm:
wp plugin list --status=active | grep 'meta-box'• wordpress / composer / npm:
wp plugin update meta-box --all• generic web: Check WordPress plugin directory for updates and security advisories related to Meta Box.
disclosure
Exploit-Status
EPSS
0.89% (75% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14675 is to immediately upgrade the Meta Box plugin to version 5.11.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file upload permissions for users with Contributor-level access. Implementing a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the ajaxdeletefile endpoint can provide an additional layer of defense. Carefully review user roles and permissions within WordPress to ensure that only necessary users have file management capabilities. After upgrading, verify the fix by attempting to delete a non-critical file through the plugin's interface to confirm that file path validation is now enforced.
Aktualisieren Sie auf Version 5.11.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14675 is a vulnerability in the Meta Box WordPress plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–5.11.1.
You are affected if your WordPress site uses the Meta Box plugin and is running version 0.0.0 through 5.11.1. Check your plugin versions immediately.
Upgrade the Meta Box plugin to version 5.11.2 or later to resolve the vulnerability. Consider temporary mitigations like WAF rules if immediate upgrade is not possible.
As of the publication date, there are no publicly known active exploits for CVE-2025-14675, but it's crucial to patch promptly to prevent future exploitation.
Refer to the Meta Box plugin website and WordPress security announcements for the official advisory and further details regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.