BuddyPress Xprofile Custom Fields Type 2.6.3 contains an inconsistency that allows authenticated users to delete arbitrary files by manipulating the unescaped POST parameters field_hiddenfile and field_deleteimg during profile editing operations. This flaw is a classic example of insecure direct object reference (CWE‑22) and provides an attacker with the capability to unlink any file from the server that the application’s process user is allowed to delete. The operation can compromise or remove critical application files, potentially leading to remote code execution or denial of service if essential files are removed.

The vulnerability impacts the BuddyPress Xprofile Custom Fields Type plugin, version 2.6.3, sold by donmik and deployed on WordPress sites that use the BuddyPress Xprofile extension. No other vendor or product versions are listed in the CNA data, and the flaw appears to be confined to this specific release.

The CVSS score of 8.7 classifies this as a high‑severity issue. The EPSS score is not available, so a quantitative estimate of exploitation likelihood cannot be provided, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers must be authenticated and possess permissions to edit profile fields, which implies a local or privileged user rather than an anonymous remote attacker. The exploit requires sending a crafted POST request to the profile edit endpoint, so mitigating the vulnerability involves both removing the logic that accepts unvalidated input and restricting the range of users who can perform the edit.