CVE-2025-7846 - Vulnerability Details

- WordPress User Extra Fields <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function

Description

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Published: 2025-10-31

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WordPress User Extra Fields plugin contains an insufficient file path validation flaw in its save_fields() function that allows authenticated users with Subscriber‑level access or higher to delete arbitrary files on the server. This flaw is a Path Traversal issue (CWE‑36). Removing critical configuration files such as wp-config.php can give attackers direct control over the WordPress installation, effectively turning the vulnerability into a remote code execution risk.

Affected Systems

All installations of the WordPress User Extra Fields plugin released by Vanquish, up to and including version 16.7, are affected.

Risk and Exploitability

The vulnerability scores a CVSS of 8.8, indicating high severity, while the EPSS below 1% suggests a low likelihood that it has been widely exploited to date. Although not listed in the CISA KEV catalog, an attacker would need only authenticated access with a Subscriber role or higher, making the exploitation pathway relatively simple if the plugin is in use. The weakness permits deletion of any user‑supplied file path, providing a potential pivot point for executing code on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

vanquish

WordPress User Extra Fields

unaffected

Version	Status	Constraints
`0`	affected	≤ 16.7

No data.

Vendor	Product	Confidence	Versions
Vanquish	Wordpress User Extra Fields	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WordPress User Extra Fields to the latest version (≥16.8) available from the plugin author
If an upgrade cannot be performed immediately, remove the plugin entirely to eliminate the attack vector
Adjust WordPress role permissions so that subscribers and lower roles cannot invoke the save_fields functionality, restricting the feature to administrators only
Verify the site’s file integrity and restore any accidental deletions of critical files after remediation

Generated by OpenCVE AI on April 20, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00555.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://codecanyon.net/item/user-extra-fields/12949844
https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve

History

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Vanquish Vanquish wordpress User Extra Fields Wordpress Wordpress wordpress
Vendors & Products		Vanquish Vanquish wordpress User Extra Fields Wordpress Wordpress wordpress

Fri, 31 Oct 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 31 Oct 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title		WordPress User Extra Fields <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function
Weaknesses		CWE-36
References		https://codecanyon.net/item/user-extra-fields/12949844 https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Vanquish Wordpress User Extra Fields

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-10-31T06:42:56.125Z

Updated: 2026-04-08T17:21:11.387Z

Reserved: 2025-07-18T20:19:32.220Z

Link: CVE-2025-7846

Vulnrichment

Updated: 2025-10-31T14:26:07.053Z

NVD

Status : Deferred

Published: 2025-10-31T07:15:38.507

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7846

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses

CWE-36

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object