VulnerAlert



WORDPRESS
07-03-2026 05:20

CVE-2025-14675 Vulnerabilidad documentada

Sin puntuación
Tags
#wordpress
#plugin
#wp
#server
#php
#config
#deletion
#attackers
#authenticated
#arbitrary
#vulnerable
#remote
#execution
#attack
#access
Descripción
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due insufficient path validation in the 'ajax_delete_file' function all versions up to, and including, 5.11.1. This makes it possible authenticated attackers, with Contributor-level access above, delete files on server, which can easily lead remote code execution when right deleted (such as wp-config.php).
https://github.com/wpmetabox/meta-box/pull/1654
https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L30
https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L54
https://plugins.trac.wordpress.org/changeset/3475210/meta-box#file3
https://www.wordfence.com/threat-intel/vulnerabilities/id/036467de-95bb-4bfd-9522-df8dc17f3102?source=cve
Referencia
Link externo
Ver detalles

Fuente
https://nvd.nist.gov/vuln/detail/CVE-2025-14675
Resultados similares
Coincidentes en almenos en 50% de los tags
12-03-2026 CVE-2026-2687
The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its ...
Ver información
12-03-2026 CVE-2025-15473
The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, al...
Ver información
Icons made by Freepik from www.flaticon.com
Este Proyecto fue cofinanciado por el Consejo Nacional de Ciencia y Tecnología (CONACYT) a través del PROINNOVA 2021/2023
Proyecto realizado por