CVE-2025-14037
Received Received - Intake
Path Traversal in Invelity WordPress Plugin Allows File Deletion

Publication date: 2026-03-21

Last updated on: 2026-03-21

Assigner: Wordfence

Description
The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-03-21
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14037
EUVD
EUVD-2025-208918
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
invelity product_feeds to 1.2.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Invelity Product Feeds plugin for WordPress has a vulnerability that allows an authenticated administrator-level attacker to delete arbitrary files on the server. This happens because the plugin's 'createManageFeedPage' function does not properly validate or sanitize input parameters, specifically the 'name' parameter used for file deletion. By crafting a malicious request with path traversal sequences and tricking an admin into clicking a link, the attacker can delete files outside the intended directory.

Impact Analysis

This vulnerability can have serious impacts including the deletion of important files on the server hosting the WordPress site. An attacker with administrator access can exploit this flaw to remove critical files, potentially causing denial of service, loss of data, or disruption of website functionality. Since the attack requires tricking an admin into clicking a malicious link, social engineering is also a factor.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves arbitrary file deletion via path traversal in the Invelity Product Feeds WordPress plugin, triggered by specially crafted requests to the admin feed management page.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, monitor HTTP requests to the WordPress admin feed management page for suspicious parameters, especially the 'name' GET parameter containing path traversal sequences such as '../' or encoded variants."}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find suspicious \'name\' parameters with path traversal patterns: grep -E "name=.*(\\.\\./|%2e%2e/)" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': "Using curl to test if the vulnerable endpoint is accessible (requires admin authentication): curl -I -b 'wordpress_logged_in=your_cookie' 'https://yourdomain.com/wp-admin/admin.php?page=product_feeds&name=../../../../etc/passwd'"}, {'type': 'list_item', 'content': 'Checking for unexpected file deletions or missing files in the WordPress uploads/product-feeds directory.'}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the WordPress admin feed management page to trusted administrators only.
  • Avoid clicking on suspicious or untrusted links that could trigger the vulnerable functionality.
  • If possible, disable or remove the Invelity Product Feeds plugin until a patched version is available.
  • Monitor and audit file deletions in the uploads/product-feeds directory to detect any unauthorized activity.
  • Apply any available updates or patches from the plugin author addressing this vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart