Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.
Published: 2026-02-20
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Deletion
Action: Patch Now
AI Analysis

Impact

The Vanquish User Extra Fields WordPress plugin allows path traversal that can be used to delete arbitrary files on the hosting server. This flaw is a classic instance of CWE22, giving an attacker the ability to remove any file the web server process can access, potentially crippling site functionality or deleting sensitive data.

Affected Systems

The vulnerability exists in all releases of the vanquish User Extra Fields plugin up to and including version 17.0. No other products or vendors are affected according to the CNA information.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity attack with a large impact if exploited. The EPSS score of less than 1% suggests that attackers are unlikely to target this flaw at the moment, and it is not listed in CISA’s KEV catalog. Nevertheless, the most likely attack vector is through the web interface or configuration files, where a user with CMS access can supply a malformed path to trigger the deletion. If exploited, the attacker can delete arbitrary files, leading to site downtime or data loss.

Generated by OpenCVE AI on April 28, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update released by vanquish for the User Extra Fields plugin to address the path traversal flaw.
  • Reconfigure the plugin to use a dedicated, non-sensitive upload directory and enforce strict file permissions so that the web server process cannot delete critical files.
  • Implement a web application firewall rule that detects and blocks path traversal patterns, preventing malformed requests from reaching the plugin code.

Generated by OpenCVE AI on April 28, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vanquish
Vanquish user Extra Fields
Wordpress
Wordpress wordpress
Vendors & Products Vanquish
Vanquish user Extra Fields
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.
Title WordPress User Extra Fields plugin <= 17.0 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Vanquish User Extra Fields
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:56:44.706Z

Reserved: 2025-12-31T20:13:05.452Z

Link: CVE-2025-69376

cve-icon Vulnrichment

Updated: 2026-02-26T18:57:18.832Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:22.003

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T17:45:16Z

Weaknesses