BuddyPress Xprofile Custom Field Types <= 1.2.8 - 认证 (订阅者+) 任意文件删除

该漏洞允许攻击者通过删除关键文件，例如 wp-config.php，从而在 WordPress 站点上执行任意代码。攻击者需要具备 Subscriber 级别的访问权限才能利用此漏洞。成功利用此漏洞可能导致服务器被完全控制，敏感数据泄露，以及恶意软件植入。由于该插件广泛使用，潜在影响范围非常大，尤其是在共享主机环境中，多个站点可能受到影响。

WordPress websites utilizing the BuddyPress Xprofile Custom Field Types plugin in versions 1.0.0 through 1.2.8 are at risk. This includes sites with Subscriber-level user roles, as these users are sufficient to exploit the vulnerability. Shared hosting environments are particularly vulnerable, as they often have limited access controls and a higher density of WordPress installations.

• wordpress / composer / npm:

wp plugin list --status=inactive | grep 'BuddyPress Xprofile Custom Field Types'

• wordpress / composer / npm:

wp plugin list | grep 'BuddyPress Xprofile Custom Field Types' && wp plugin version 'BuddyPress Xprofile Custom Field Types'

• wordpress / composer / npm:

find /var/www/html/wp-content/plugins/buddybp-xprofile-custom-field-types/ -name 'delete_field.php'

• wordpress / composer / npm:

wp plugin list | grep 'BuddyPress Xprofile Custom Field Types' && wp plugin path 'BuddyPress Xprofile Custom Field Types'

1. 2026-01-06Disclosure

   disclosure

1. 已保留2025-12-20
2. 发布日期2026-01-06
3. 修改日期2026-04-08
4. EPSS 更新日期2026-03-23

最有效的缓解措施是立即将 BuddyPress Xprofile Custom Field Types 插件升级至 1.3.0 或更高版本。如果无法立即升级，可以考虑限制文件上传权限，并审查插件的配置，确保没有不必要的权限被授予。此外，实施 Web 应用防火墙 (WAF) 规则，阻止对 delete_field 函数的恶意请求，可以提供额外的保护。监控 WordPress 站点日志，查找可疑的文件删除活动，有助于及早发现和响应潜在攻击。

活跃安装数

4K小众

插件评分

4.9

需要WordPress版本

5.0+

兼容至

6.9.4

需要PHP版本

5.3+