Plattform
wordpress
Komponente
career-section
Behoben in
1.6.1
1.7
CVE-2025-14868 identifies a Path Traversal vulnerability within the Career Section plugin for WordPress. This flaw allows unauthenticated attackers to delete arbitrary files on the server by crafting malicious requests. The vulnerability impacts versions of the plugin up to and including 1.6. A fix is available in version 1.7.
The primary impact of CVE-2025-14868 is the potential for arbitrary file deletion. An attacker can craft a malicious CSRF request that, if successfully executed by a site administrator (e.g., by clicking a crafted link), will delete files on the server. This could lead to denial of service, data loss, or even compromise of sensitive system files. The lack of nonce validation and insufficient file path sanitization in the 'appformoptionspage_html' function are the root causes. Successful exploitation requires tricking a site administrator into performing the malicious action, but the consequences can be severe.
CVE-2025-14868 was published on 2026-04-16. While no public proof-of-concept (PoC) has been released at the time of writing, the combination of a CSRF vulnerability and the ability to delete arbitrary files represents a significant risk. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation (requiring only social engineering to target an administrator) increases the likelihood of exploitation.
Websites utilizing the Career Section plugin, particularly those with WordPress administrators who are susceptible to phishing or social engineering attacks, are at risk. Shared hosting environments where multiple websites share the same server are also at increased risk, as a successful exploit on one site could potentially impact others.
• wordpress / composer / npm:
grep -r 'appform_options_page_html' /var/www/html/wp-content/plugins/career-section/• wordpress / composer / npm:
wp plugin list | grep 'career-section'• wordpress / composer / npm:
wp plugin update career-section --version=1.7• generic web: Check WordPress plugin directory for outdated versions of Career Section.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14868 is to immediately upgrade the Career Section plugin to version 1.7 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file paths or patterns related to the 'delete' action. Additionally, restrict access to the plugin's administrative interface to trusted users only. Regularly review WordPress plugin permissions and ensure they adhere to the principle of least privilege. After upgrading, confirm the vulnerability is resolved by attempting a CSRF attack with a non-existent file path – it should be rejected.
Aktualisieren Sie auf Version 1.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14868 is a Path Traversal vulnerability in the Career Section WordPress plugin allowing attackers to delete arbitrary files via CSRF. It affects versions up to 1.6.
If you are using the Career Section WordPress plugin version 1.6 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade the Career Section plugin to version 1.7 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability's nature and reliance on CSRF suggest a potential for targeted attacks.
Refer to the plugin developer's website or the WordPress plugin directory for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.