Description
The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
Published: 2026-01-13
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary file deletion
Action: Immediate Update
AI Analysis

Impact

The E‑exact | Hosted Payment | WordPress plugin version 2.0 contains a flaw that allows an unauthenticated attacker to delete arbitrary files on the server. The vulnerability stems from insufficient validation of file paths used by the plugin when removing files. Successful exploitation can result in loss of critical data, service disruption, or compromise of the web application. The weakness is an example of improper input validation (CWE‑20).

Affected Systems

All WordPress installations that use the E‑exact | Hosted Payment | plugin with a version of 2.0 or earlier are affected. The plugin publisher is listed under Unknown:E‑exact | Hosted Payment |; no further vendor detail is available.

Risk and Exploitability

The CVSS score of 9.1 indicates a high‑severity risk. The EPSS score is below 1%, suggesting that while the risk is severe, the likelihood of active exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. The attack vector is unauthenticated, implying that a remote attacker can trigger the deletion without needing to authenticate. The primary conditions for exploitation are that the compromised server hosts the vulnerable plugin and that the attacker can interact with the plugin’s file deletion functionality, such as via crafted HTTP requests. Without authentication, the exploitation path is straightforward, making this a serious concern for sites that rely on the plugin for payment processing.

Generated by OpenCVE AI on April 27, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update or uninstall the E‑exact | Hosted Payment | plugin to a version that resolves the file deletion vulnerability.
  • If an update is unavailable, disable the plugin entirely or restrict its file permissions so that critical server files cannot be deleted.
  • Perform a file integrity audit on the web server to confirm that no files have been removed or corrupted by an attacker.

Generated by OpenCVE AI on April 27, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 06:15:00 +0000

Type Values Removed Values Added
Description The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
Title e-xact-hosted-payment <= 2.0 - Unauthenticated Arbitrary File Deletion
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-02T12:39:54.904Z

Reserved: 2025-12-17T14:40:06.887Z

Link: CVE-2025-14829

cve-icon Vulnrichment

Updated: 2026-01-13T14:40:12.747Z

cve-icon NVD

Status : Deferred

Published: 2026-01-13T06:15:49.310

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses