Description
The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
Published: 2025-07-03
Score: 8.8 High
EPSS: 3.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The JKDEVKIT plugin for WordPress allows authenticated users with Subscriber‑level access or higher to delete arbitrary files on the server because the font_upload_handler function does not validate the supplied file path. This flaw, identified as a path traversal error (CWE-22), can be used to remove critical WordPress files such as wp-config.php, enabling attackers to execute malicious code. If WooCommerce is active, the required privilege rises to Contributor‑level, but the severity remains high.

Affected Systems

All WordPress installations running JKDEVKIT plugin version 1.9.4 or older are affected. The plugin is distributed through the WordPress plugin repository under the name JKDEVKIT and can be installed on any WordPress site with a user account structure.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity, and the EPSS score of 3% shows a low but measurable likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. An attacker must first authenticate to the site with Subscriber‑level or higher privileges (or Contributor‑level if WooCommerce is enabled) to trigger the deletion, after which the attacker can target any file in the server’s file system, potentially leading to data loss, service disruption, or remote code execution if critical files are removed or replaced.

Generated by OpenCVE AI on April 30, 2026 at 09:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JKDEVKIT to version 1.9.5 or newer, which fixes the file‑path validation issue.
  • If an upgrade cannot be performed immediately, limit the font_upload_handler endpoint so that only administrator accounts can invoke it; block or disable the endpoint for users with Subscriber or lower privileges, and for Contributor or lower users when WooCommerce is active.
  • Configure file‑system permissions or create a web‑root firewall rule to prevent the web‑server process from deleting or writing files outside the intended upload directory.

Generated by OpenCVE AI on April 30, 2026 at 09:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19860 The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
History

Thu, 03 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Jul 2025 12:45:00 +0000

Type Values Removed Values Added
Description The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
Title JKDEVKIT <= 1.9.4 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:58:27.353Z

Reserved: 2025-03-28T16:22:08.186Z

Link: CVE-2025-2932

cve-icon Vulnrichment

Updated: 2025-07-03T12:53:32.746Z

cve-icon NVD

Status : Deferred

Published: 2025-07-03T13:15:28.220

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:00:16Z

Weaknesses