Vulnerabilities ›

CVE-2025-14997

High

Critical File Deletion Vulnerability in BuddyPress Xprofile WordPress Plugin (CVE-2025-14997)

CWE-22 — Weakness Type

                    Published: Jan 6, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

🤖 AI Executive Summary

The BuddyPress Xprofile Custom Field Types WordPress plugin contains a path traversal vulnerability allowing authenticated subscribers to delete arbitrary files on the server. This can lead to remote code execution by deleting critical files like wp-config.php.

📄 Description (Arabic)

تحتوي إضافة BuddyPress Xprofile Custom Field Types على ثغرة في التحقق من صحة مسارات الملفات في دالة delete_field. يمكن للمستخدمين المصرح لهم على مستوى المشترك وما فوقه حذف ملفات تعسفية على الخادم. يمكن أن يؤدي حذف ملفات حرجة مثل wp-config.php إلى تنفيذ أكواد بعيدة.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 9, 2026 04:02

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government healthcare telecom

🎯 MITRE ATT&CK Techniques

T1485 T1561 T1070

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update the BuddyPress Xprofile Custom Field Types plugin to version 1.2.9 or later immediately. Implement strict file path validation and restrict file deletion operations. Apply principle of least privilege to user roles and monitor file system access logs for suspicious deletion activities.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة BuddyPress Xprofile Custom Field Types إلى الإصدار 1.2.9 أو أحدث فوراً. طبق التحقق الصارم من مسارات الملفات وقيد عمليات حذف الملفات. طبق مبدأ أقل صلاحية على أدوار المستخدمين وراقب سجلات الوصول إلى نظام الملفات للأنشطة المريبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

AC-2 AC-3 SI-7

🔵 SAMA CSF

CC6.1 CC6.2 CC7.2

🟡 ISO 27001:2022

A.9.2.1 A.9.2.5 A.12.4.1

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/sr...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset/3430565/bp-xprofile-custom-field-types

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/89a7a717-dac3-490e-89dd-268be...

security@wordfence.com

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredH — High

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-22

EPSS0.90%

Exploit No

Patch ✓ Yes

Published 2026-01-06

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-22

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2025-14997

💬 Comments

Introduce Yourself

Sign In Required