CVE-2025-14997
Arbitrary File Deletion in BuddyPress Xprofile Plugin Enables RCE
Publication date: 2026-01-06
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | bp-xprofile-custom-field-types | to 1.2.8 (inc) |
| wordfence | bp-xprofile-custom-field-types | From 1.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the BuddyPress Xprofile Custom Field Types plugin for WordPress allows authenticated users with Subscriber-level access or higher to delete arbitrary files on the server. This happens because the 'delete_field' function does not properly validate file paths, enabling attackers to specify and delete files outside the intended scope. Deleting critical files like wp-config.php can lead to remote code execution. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low-level authenticated access to delete any file on the server, potentially removing critical configuration or system files. This can lead to denial of service, data loss, or remote code execution if the attacker deletes files that the system relies on for security or operation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the BuddyPress Xprofile Custom Field Types plugin version 1.2.8 or earlier is installed and active on your WordPress site. Since the vulnerability allows authenticated users with Subscriber-level access to delete arbitrary files via the 'delete_field' function, monitoring for unusual file deletion activities in the upload directories (specifically under wp-content/uploads/bpxcftr-profile-uploads/) can help detect exploitation attempts. You can check the plugin version using WP-CLI with the command: `wp plugin get bp-xprofile-custom-field-types --field=version`. Additionally, reviewing web server logs for suspicious POST requests targeting profile field deletions or unusual file deletions in the upload directories may help. There are no specific commands provided in the resources for direct detection of exploit attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the BuddyPress Xprofile Custom Field Types plugin to version 1.3.0 or later, which contains the security fix for the arbitrary file deletion vulnerability (CVE-2025-14997). This update was contributed by Sarawut Poolkhet and the WordPress.org plugin team and also includes additional security hardening. If updating immediately is not possible, restrict Subscriber-level users from accessing the affected functionality or disable the plugin temporarily to prevent exploitation. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with Subscriber-level access and above to delete arbitrary files on the server, potentially leading to remote code execution. Such unauthorized file deletion and potential system compromise can result in data breaches or loss of data integrity, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and sensitive data. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by exposing or compromising protected data and failing to maintain system security controls. [1, 3]