Platform
wordpress
Component
invelity-products-feeds
Fixed in
1.2.7
CVE-2025-14037 describes an arbitrary file deletion vulnerability discovered in the Invelity Product Feeds plugin for WordPress. This flaw allows authenticated administrator-level users to delete arbitrary files on the server by exploiting insufficient input validation within the 'createManageFeedPage' function. Versions 1.0.0 through 1.2.6 are affected, and a fix is expected to be released by the vendor.
Successful exploitation of CVE-2025-14037 could lead to severe consequences for WordPress websites using the Invelity Product Feeds plugin. An attacker, posing as an administrator or tricking an administrator into clicking a malicious link, can delete critical system files, configuration files, or even application code. This could result in complete website downtime, data loss, and potential compromise of the underlying server. The ability to delete arbitrary files significantly expands the attack surface and allows for potential privilege escalation or further exploitation of the system. This vulnerability shares similarities with other path traversal exploits where attackers leverage predictable file system structures to gain unauthorized access and control.
CVE-2025-14037 was published on 2026-03-21. Its severity is rated HIGH with a CVSS score of 8.1. There is no indication of this vulnerability being listed on KEV or having an EPSS score at this time. Public proof-of-concept (POC) code is currently unknown, but the nature of the vulnerability suggests that it is likely to be developed and shared publicly. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14037 is to upgrade the Invelity Product Feeds plugin to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing path traversal sequences (e.g., '../'). Additionally, restrict administrator access and carefully review any links clicked by administrators. Monitor WordPress logs for suspicious file deletion attempts. After upgrading, verify the integrity of critical system files and configurations to ensure no unauthorized changes have occurred.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14037 is a HIGH severity vulnerability allowing authenticated administrators to delete arbitrary files on a WordPress server through the Invelity Product Feeds plugin versions 1.0.0–1.2.6 due to insufficient input validation.
You are affected if your WordPress website uses the Invelity Product Feeds plugin and is running version 1.0.0 through 1.2.6. Check your plugin version immediately.
Upgrade the Invelity Product Feeds plugin to the latest available version as soon as a patch is released. Until then, implement WAF rules to block path traversal attempts.
While there are no confirmed reports of active exploitation at this time, the vulnerability's nature suggests it is likely to be targeted. Monitor security advisories and threat intelligence feeds.
Check the Invelity website and WordPress plugin repository for updates and security advisories related to CVE-2025-14037. Monitor WordPress security news sources for announcements.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.