Description
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2026-01-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion with potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

The BuddyPress Xprofile Custom Field Types plugin contains a flaw in the delete_field function that does not properly validate the file path. An attacker who can log in with any role of Subscriber or higher can supply an arbitrary path and trigger deletion. Removing critical files such as wp-config.php can give the attacker a foothold for remote code execution, or lead to site compromise. The vulnerability arises from insufficient path validation, classified as a path traversal defect.

Affected Systems

This issue affects every installation of BuddyPress Xprofile Custom Field Types up to and including version 1.2.8. The plugin is a WordPress add‑on, so any WordPress site using those versions is impacted. No other products are referenced.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity; the EPSS score of less than 1% means current exploitation probability is low, and the vulnerability is not listed in CISA’s KEV catalog. The attacker must be authenticated and have at least Subscriber permissions, which is commonly granted to many users on a site. Once authenticated, the attacker can send a request to the plugin’s delete endpoint with a crafted file path and cause deletion of any file the web server process can write to.

Generated by OpenCVE AI on April 22, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest BuddyPress Xprofile Custom Field Types release that corrects the delete_field path validation flaw.
  • If an upgrade is not feasible, uninstall the plugin to remove the delete capability.
  • After the update or removal, enforce strict file‑system permissions or apply server‑side restrictions (such as open_basedir or .htaccess deny rules) so the web server cannot write to sensitive files like wp‑config.php, thereby mitigating the risk of accidental or malicious deletion.

Generated by OpenCVE AI on April 22, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:31.387Z

Reserved: 2025-12-20T13:26:29.814Z

Link: CVE-2025-14997

cve-icon Vulnrichment

Updated: 2026-01-06T14:56:56.540Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T05:16:03.437

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses