Platform
wordpress
Component
bp-xprofile-custom-field-types
Fixed in
1.2.9
CVE-2025-14997 is an arbitrary file access vulnerability affecting the BuddyPress Xprofile Custom Field Types plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete arbitrary files on the server. Successful exploitation can lead to remote code execution, particularly if critical files like wp-config.php are targeted. The vulnerability impacts versions 1.0.0 through 1.2.8, and a fix is available in version 1.3.0.
The primary impact of CVE-2025-14997 is the ability for an authenticated attacker to delete files on the WordPress server. While the vulnerability requires authentication (Subscriber level or higher), this is a relatively low barrier to entry for many WordPress installations. The most severe consequence arises when attackers delete critical configuration files, such as wp-config.php. Deletion of this file would effectively disable the WordPress site and could potentially allow the attacker to reconstruct it with malicious code, leading to complete server compromise. The ability to delete arbitrary files also opens the door to other attacks, such as defacing the website or disrupting service. This vulnerability shares similarities with other file deletion vulnerabilities where the attacker leverages insufficient input validation to gain unauthorized access and control.
CVE-2025-14997 was publicly disclosed on 2026-01-06. There is no indication of this vulnerability being actively exploited in the wild at this time. The EPSS score is pending evaluation, but the potential for remote code execution suggests a medium to high probability of exploitation if a suitable proof-of-concept is developed and widely distributed. No KEV listing exists as of this writing.
Exploit Status
EPSS
0.94% (76% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14997 is to immediately upgrade the BuddyPress Xprofile Custom Field Types plugin to version 1.3.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to minimize the potential impact of a successful attack. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious file deletion requests can provide an additional layer of defense. Regularly review WordPress plugin installations and ensure they are from trusted sources to prevent the introduction of similar vulnerabilities in the future.
Update to version 1.3.0, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14997 is a HIGH severity vulnerability in the BuddyPress Xprofile Custom Field Types plugin for WordPress, allowing authenticated users to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using BuddyPress Xprofile Custom Field Types versions 1.0.0 through 1.2.8. Upgrade to 1.3.0 or later to resolve the issue.
Upgrade the BuddyPress Xprofile Custom Field Types plugin to version 1.3.0 or later. If immediate upgrade is not possible, restrict file permissions and consider a WAF.
There is currently no evidence of active exploitation of CVE-2025-14997 in the wild.
Refer to the official BuddyPress Xprofile Custom Field Types plugin documentation and WordPress security advisories for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.