Plattform
wordpress
Komponente
bp-xprofile-custom-field-types
Behoben in
1.2.9
CVE-2025-14997 is an arbitrary file access vulnerability affecting the BuddyPress Xprofile Custom Field Types plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete arbitrary files on the server. Successful exploitation can lead to remote code execution, particularly if critical files like wp-config.php are targeted. The vulnerability impacts versions 1.0.0 through 1.2.8, and a fix is available in version 1.3.0.
The primary impact of CVE-2025-14997 is the ability for an authenticated attacker to delete arbitrary files on a WordPress server. While the vulnerability description explicitly mentions wp-config.php as a potential target, the attacker could delete any file accessible to the webserver user. Deleting wp-config.php would effectively disable the WordPress site, potentially allowing the attacker to upload a malicious PHP script and gain remote code execution. This could lead to complete compromise of the server, including data exfiltration, malware installation, and further attacks against other systems on the network. The ease of exploitation, requiring only Subscriber-level access, significantly increases the risk.
CVE-2025-14997 was published on 2026-01-06. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Given the ease of exploitation (requiring only Subscriber access) and the potential for remote code execution, this vulnerability should be considered a high priority for remediation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites utilizing the BuddyPress Xprofile Custom Field Types plugin in versions 1.0.0 through 1.2.8 are at risk. This includes sites with Subscriber-level user roles, as these users are sufficient to exploit the vulnerability. Shared hosting environments are particularly vulnerable, as they often have limited access controls and a higher density of WordPress installations.
• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'BuddyPress Xprofile Custom Field Types'• wordpress / composer / npm:
wp plugin list | grep 'BuddyPress Xprofile Custom Field Types' && wp plugin version 'BuddyPress Xprofile Custom Field Types'• wordpress / composer / npm:
find /var/www/html/wp-content/plugins/buddybp-xprofile-custom-field-types/ -name 'delete_field.php'• wordpress / composer / npm:
wp plugin list | grep 'BuddyPress Xprofile Custom Field Types' && wp plugin path 'BuddyPress Xprofile Custom Field Types'disclosure
Exploit-Status
EPSS
0.94% (76% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14997 is to immediately upgrade the BuddyPress Xprofile Custom Field Types plugin to version 1.3.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to minimize the potential impact of file deletion. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the plugin's endpoints. Regularly review WordPress plugin access and ensure the principle of least privilege is followed, limiting user roles to the minimum necessary permissions. After upgrading, confirm the fix by attempting to delete a test file through the plugin's interface and verifying that the deletion is prevented.
Aktualisieren Sie auf Version 1.3.0 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14997 is a HIGH severity vulnerability in the BuddyPress Xprofile Custom Field Types plugin for WordPress, allowing authenticated users to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using BuddyPress Xprofile Custom Field Types versions 1.0.0 through 1.2.8. Upgrade to 1.3.0 or later to resolve the issue.
Upgrade the BuddyPress Xprofile Custom Field Types plugin to version 1.3.0 or later. If immediate upgrade is not possible, restrict file permissions and consider a WAF.
There is currently no evidence of active exploitation of CVE-2025-14997 in the wild.
Refer to the official BuddyPress Xprofile Custom Field Types plugin documentation and WordPress security advisories for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.