Platform
wordpress
Component
career-section
Fixed in
1.6.1
1.7
CVE-2025-14868 identifies a Path Traversal vulnerability within the Career Section plugin for WordPress. This flaw allows unauthenticated attackers to delete arbitrary files on the server by crafting malicious requests. The vulnerability impacts versions of the plugin up to and including 1.6. A fix is available in version 1.7.
The primary impact of CVE-2025-14868 is the potential for arbitrary file deletion. An attacker can leverage Cross-Site Request Forgery (CSRF) to trick a site administrator into executing a forged request that targets the plugin's delete functionality. Successful exploitation could lead to the deletion of critical configuration files, core WordPress files, or even system files, potentially rendering the website inoperable or compromising the entire server. The blast radius extends beyond the plugin itself, as the attacker gains the ability to manipulate files outside the plugin's intended scope. This vulnerability shares similarities with other CSRF-based file deletion vulnerabilities, highlighting the importance of proper input validation and nonce protection.
CVE-2025-14868 was publicly disclosed on 2026-04-16. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the availability of CSRF techniques suggest a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability's reliance on CSRF makes it less likely to be exploited in automated campaigns, but targeted attacks against administrators remain a concern.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The most effective mitigation for CVE-2025-14868 is to immediately upgrade the Career Section plugin to version 1.7 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests targeting the 'appformoptionspage_html' function with suspicious parameters. Additionally, ensure that all WordPress administrators are aware of the vulnerability and trained to avoid clicking on suspicious links. Regularly review WordPress plugin permissions and restrict access to sensitive files and directories. After upgrading, confirm the fix by attempting a CSRF attack against the delete functionality and verifying that the request is properly blocked.
Update to version 1.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14868 is a Path Traversal vulnerability in the Career Section WordPress plugin allowing attackers to delete arbitrary files via CSRF. It affects versions up to 1.6.
If you are using the Career Section WordPress plugin version 1.6 or earlier, you are vulnerable to this Path Traversal attack.
Upgrade the Career Section plugin to version 1.7 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability's nature and reliance on CSRF suggest a potential for targeted attacks.
Refer to the plugin developer's website or the WordPress plugin directory for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.