Platform
wordpress
Component
meta-box
Fixed in
5.11.2
CVE-2025-14675 describes an arbitrary file deletion vulnerability affecting the Meta Box plugin for WordPress. This vulnerability allows authenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 5.11.1 of the plugin, and a fix is available in version 5.11.2.
The primary impact of CVE-2025-14675 is the potential for remote code execution. An attacker with Contributor-level access or higher can exploit this vulnerability to delete files on the server. The most critical scenario involves deleting the wp-config.php file, which contains sensitive database credentials and configuration settings. Deletion of this file effectively disables the WordPress site and allows the attacker to potentially gain control of the database and server. The ease of exploitation, combined with the potential for complete site compromise, makes this a significant risk. This vulnerability shares similarities with other file deletion vulnerabilities where the deletion of critical configuration files can lead to complete system takeover.
CVE-2025-14675 was published on 2026-03-07. As of this date, there are no publicly known proof-of-concept exploits. The EPSS score is currently pending evaluation. It is recommended to apply the patch promptly due to the potential for remote code execution and the relatively simple attack vector.
Exploit Status
EPSS
0.89% (75% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14675 is to upgrade the Meta Box plugin to version 5.11.2 or later. If an immediate upgrade is not possible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to limit the impact of a successful exploit. Implement a Web Application Firewall (WAF) rule to block requests to the ajaxdeletefile endpoint with suspicious parameters. Monitor WordPress logs for unusual file deletion activity. After upgrading, verify the fix by attempting to delete a non-essential file through the plugin's interface to confirm that file path validation is now enforced.
Update to version 5.11.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14675 is a vulnerability in the Meta Box WordPress plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution. It affects versions 0.0.0–5.11.1.
You are affected if your WordPress site uses the Meta Box plugin and is running version 0.0.0 through 5.11.1. Check your plugin versions immediately.
Upgrade the Meta Box plugin to version 5.11.2 or later to resolve the vulnerability. Consider temporary mitigations like WAF rules if immediate upgrade is not possible.
As of the publication date, there are no publicly known active exploits for CVE-2025-14675, but it's crucial to patch promptly to prevent future exploitation.
Refer to the Meta Box plugin website and WordPress security announcements for the official advisory and further details regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.