Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through <= 3.0.1.
Published: 2025-08-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to delete arbitrary files from the web server through a path-traversal flaw in the BuddyPress XProfile Custom Image Field plugin. The flaw occurs when the plugin processes a custom image field request and does not properly restrict the pathname, enabling users to specify a directory outside the intended upload folder. A successful exploit would result in loss of data or configuration files which could affect site functionality or integrity of the file system.

Affected Systems

The flaw affects the BuddyPress XProfile Custom Image Field plugin by Alex Githatu. Versions from unknown earlier releases up to and including 3.0.1 are impacted. Users running any of these affected releases on a WordPress installation should be aware that the vulnerability exists.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity, and the EPSS score of less than 1 % indicates a very low likelihood that an exploit is currently observed in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would typically need access to the WordPress administrative interface or a way to submit a crafted request to the plugin; once this mechanism is activated, directory traversal can be used to target arbitrary files on the server.

Generated by OpenCVE AI on April 30, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BuddyPress XProfile Custom Image Field plugin to the latest release or at least 3.0.2 where the path-traversal issue is fixed.
  • If an update is not immediately available, remove or disable the BuddyPress XProfile Custom Image Field plugin to eliminate the attack surface.
  • Configure strict file permissions on the web root and enforce directory restrictions to limit the effect of any path traversal attempts.

Generated by OpenCVE AI on April 30, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25374 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal. This issue affects BuddyPress XProfile Custom Image Field: from n/a through 3.0.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal. This issue affects BuddyPress XProfile Custom Image Field: from n/a through 3.0.1. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through <= 3.0.1.
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Sun, 24 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Buddypress
Buddypress buddypress
Wordpress
Wordpress wordpress
Vendors & Products Buddypress
Buddypress buddypress
Wordpress
Wordpress wordpress

Thu, 21 Aug 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal. This issue affects BuddyPress XProfile Custom Image Field: from n/a through 3.0.1.
Title WordPress BuddyPress XProfile Custom Image Field Plugin <= 3.0.1 - Arbitrary File Deletion Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Buddypress Buddypress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.960Z

Reserved: 2025-05-15T18:02:03.511Z

Link: CVE-2025-48158

cve-icon Vulnrichment

Updated: 2025-08-20T17:42:11.773Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:31.540

Modified: 2026-04-23T15:30:54.243

Link: CVE-2025-48158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses