Description
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2026-03-07
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Meta Box plugin for WordPress is impacted by a flaw that permits authenticated users with Contributor or higher permissions to delete arbitrary files on the server. The vulnerability is caused by inadequate validation of file paths in the ajax_delete_file function. If an attacker can remove critical files such as wp-config.php, the deletion can facilitate remote code execution or other destructive actions.

Affected Systems

The affected product is the Meta Box plugin (metabox:Meta Box) for WordPress. All releases up to and including version 5.11.1 are vulnerable. No other plugin versions are mentioned.

Risk and Exploitability

With a CVSS score of 7.2 the flaw is considered moderate to high severity, but the EPSS score is low (<1%) indicating that exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires a logged‑in user with Contributor or higher privileges who can access the plugin’s AJAX endpoint to issue a file deletion request. The attack relies on insufficient path validation, and the damage is confined to the server's file system, potentially allowing full compromise if attackers target core files.

Generated by OpenCVE AI on April 22, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Meta Box plugin to version 5.11.2 or later, which removes the file‑path validation flaw.
  • Reduce or remove the file‑deletion capability for Contributor and lower roles so that only administrators can trigger ajax_delete_file.
  • Add additional server‑side validation to confirm that any file deletion request references a path within the approved uploads directory, denying deletions outside that scope.

Generated by OpenCVE AI on April 22, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m4q3-832v-44j6 Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file
History

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Metabox
Metabox meta Box
Wordpress
Wordpress wordpress
Vendors & Products Metabox
Metabox meta Box
Wordpress
Wordpress wordpress

Sat, 07 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Meta Box <= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Metabox Meta Box
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:54.494Z

Reserved: 2025-12-13T16:53:02.153Z

Link: CVE-2025-14675

cve-icon Vulnrichment

Updated: 2026-03-09T17:34:24.700Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T08:16:05.963

Modified: 2026-04-22T21:27:27.950

Link: CVE-2025-14675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses