Impact
The Meta Box – WordPress Custom Fields Framework plugin contains an arbitrary file deletion flaw that allows a contributor to delete any file on the server. This vulnerability is classified as CWE‑22 and carries a CVSS score of 6.8, indicating a moderate severity. An attacker who can gain access to the plugin’s administration functions could specify an arbitrary file path and trigger its deletion, potentially removing critical configuration files or user data.
Affected Systems
Affected products include the Meta Box – WordPress Custom Fields Framework plugin from eLightUp for all releases up to and including version 5.11.1. The vulnerability applies to any WordPress installation that has this plugin installed and has users with at least contributor privileges.
Risk and Exploitability
The EPSS score is less than 1%, indicating a low current exploit probability, and the vulnerability is not listed in CISA’s KEV catalog. However, the existence of the flaw means that once an authenticated user can use the deletion function, the impact is permanent file loss. The exploit path requires a web‑based interaction with the plugin, suggesting that the attack vector is web‑based and depends on user credentials with delete capabilities. Given the CVSS score, an attacker could cause significant disruption if the deleted files are essential to the site’s operation.
OpenCVE Enrichment