Description
The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
Published: 2025-07-03
Score: 8.8 High
EPSS: 1.3% Low
KEV: No
Impact: Arbitrary File Deletion with potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion because the font_upload_handler function does not properly validate the file path supplied by a user. An authenticated user with Subscriber‑level or higher privileges can instruct the plugin to delete any file within the server’s file system. The flaw is a classic path traversal (CWE‑22) that can be leveraged to remove critical WordPress configuration files, such as wp‑config.php, thereby enabling remote code execution. If WooCommerce is active, the attacker must have at least Contributor‑level access to perform the deletion, but the overall risk remains significant.

Affected Systems

WordPress sites running JKDEVKIT v1.9.4 or earlier are affected. The plugin is distributed as a WordPress plugin named "JKDEVKIT" and can be installed on any WordPress instance with a database and user accounts.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity and the EPSS score of 1% suggests a very low but nonzero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. In practice, an attacker would need access to a WordPress account with authenticated Subscriber (or higher) privileges, which is a limitation that narrows the attack vector to legitimate–looking traffic. Nonetheless, the ability to delete arbitrary files can enable data loss, denial of service, or the execution of malicious code if critical files are removed or replaced.

Generated by OpenCVE AI on April 21, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JKDEVKIT to the latest version (1.9.5 or newer) that removes the file‑path validation flaw.
  • If an upgrade cannot be performed immediately, restrict the font_upload_handler endpoint so that only Administrator accounts may trigger it, and block or disable the endpoint for users with Subscriber or lower privileges when WooCommerce is enabled.
  • Configure file system permissions or use a web‑root firewall rule to prevent the web‑server process from writing to or deleting files outside the designated upload directories.

Generated by OpenCVE AI on April 21, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19860 The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
History

Thu, 03 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 12:45:00 +0000

Type Values Removed Values Added
Description The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
Title JKDEVKIT <= 1.9.4 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:27.353Z

Reserved: 2025-03-28T16:22:08.186Z

Link: CVE-2025-2932

cve-icon Vulnrichment

Updated: 2025-07-03T12:53:32.746Z

cve-icon NVD

Status : Deferred

Published: 2025-07-03T13:15:28.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses