Executive Summary

The vulnerability in the BuddyPress Xprofile Custom Field Types plugin for WordPress allows authenticated users with Subscriber-level access or higher to delete arbitrary files on the server. This happens because the 'delete_field' function does not properly validate file paths, enabling attackers to specify and delete files outside the intended scope. Deleting critical files like wp-config.php can lead to remote code execution. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with low-level authenticated access to delete any file on the server, potentially removing critical configuration or system files. This can lead to denial of service, data loss, or remote code execution if the attacker deletes files that the system relies on for security or operation. [1]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if the BuddyPress Xprofile Custom Field Types plugin version 1.2.8 or earlier is installed and active on your WordPress site. Since the vulnerability allows authenticated users with Subscriber-level access to delete arbitrary files via the 'delete_field' function, monitoring for unusual file deletion activities in the upload directories (specifically under wp-content/uploads/bpxcftr-profile-uploads/) can help detect exploitation attempts. You can check the plugin version using WP-CLI with the command: `wp plugin get bp-xprofile-custom-field-types --field=version`. Additionally, reviewing web server logs for suspicious POST requests targeting profile field deletions or unusual file deletions in the upload directories may help. There are no specific commands provided in the resources for direct detection of exploit attempts. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the BuddyPress Xprofile Custom Field Types plugin to version 1.3.0 or later, which contains the security fix for the arbitrary file deletion vulnerability (CVE-2025-14997). This update was contributed by Sarawut Poolkhet and the WordPress.org plugin team and also includes additional security hardening. If updating immediately is not possible, restrict Subscriber-level users from accessing the affected functionality or disable the plugin temporarily to prevent exploitation. [3]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows authenticated users with Subscriber-level access and above to delete arbitrary files on the server, potentially leading to remote code execution. Such unauthorized file deletion and potential system compromise can result in data breaches or loss of data integrity, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and sensitive data. Therefore, exploitation of this vulnerability could negatively impact compliance with these regulations by exposing or compromising protected data and failing to maintain system security controls. [1, 3]

Useful 0 Not Useful 0