CVE-2025-14829
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-13

Last updated on: 2026-01-13

Assigner: WPScan

Description
The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-01-13
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14829
EUVD
EUVD-2026-2349
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor e_xact_hosted_payment to 2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the E-xact | Hosted Payment WordPress plugin version 2.0 and earlier. It allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation and missing authorization controls. Attackers can exploit this by sending a specially crafted POST request to the plugin's downloadBackup.php script, using parameters that specify which files to delete. Directory traversal techniques can be used to delete files beyond the intended scope, making the vulnerability critical. [1]

Impact Analysis

This vulnerability can have a severe impact by allowing attackers without any authentication to delete arbitrary files on the server hosting the WordPress plugin. This could lead to loss of important data, disruption of services, potential server instability, and could be leveraged as part of a larger attack to compromise the server or website. [1]

Detection Guidance

This vulnerability can be detected by sending a crafted POST request to the plugin's downloadBackup.php script with a parameter specifying a file to delete, such as "download_current_backup=readme.txt". Monitoring for such POST requests targeting downloadBackup.php with suspicious parameters can help detect exploitation attempts. For example, using curl to test: curl -X POST -d "download_current_backup=readme.txt" https://yourwordpresssite.com/wp-content/plugins/e-xact-hosted-payment/downloadBackup.php. Additionally, inspecting web server logs for unusual POST requests to this script with file deletion parameters can help identify attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the downloadBackup.php script, such as limiting access by IP address or disabling the script if not needed. Since there is currently no known fix for this vulnerability, it is recommended to monitor and block suspicious requests targeting this endpoint. Additionally, consider removing or disabling the e-xact-hosted-payment plugin until a patch is available to prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14829. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart