CVE-2025-14037
Path Traversal in Invelity WordPress Plugin Allows File Deletion
Publication date: 2026-03-21
Last updated on: 2026-03-21
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| invelity | product_feeds | to 1.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Invelity Product Feeds plugin for WordPress has a vulnerability that allows an authenticated administrator-level attacker to delete arbitrary files on the server. This happens because the plugin's 'createManageFeedPage' function does not properly validate or sanitize input parameters, specifically the 'name' parameter used for file deletion. By crafting a malicious request with path traversal sequences and tricking an admin into clicking a link, the attacker can delete files outside the intended directory.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including the deletion of important files on the server hosting the WordPress site. An attacker with administrator access can exploit this flaw to remove critical files, potentially causing denial of service, loss of data, or disruption of website functionality. Since the attack requires tricking an admin into clicking a malicious link, social engineering is also a factor.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves arbitrary file deletion via path traversal in the Invelity Product Feeds WordPress plugin, triggered by specially crafted requests to the admin feed management page.'}, {'type': 'paragraph', 'content': "To detect exploitation attempts on your system or network, monitor HTTP requests to the WordPress admin feed management page for suspicious parameters, especially the 'name' GET parameter containing path traversal sequences such as '../' or encoded variants."}, {'type': 'paragraph', 'content': 'Example commands to detect such attempts include:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find suspicious \'name\' parameters with path traversal patterns: grep -E "name=.*(\\.\\./|%2e%2e/)" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': "Using curl to test if the vulnerable endpoint is accessible (requires admin authentication): curl -I -b 'wordpress_logged_in=your_cookie' 'https://yourdomain.com/wp-admin/admin.php?page=product_feeds&name=../../../../etc/passwd'"}, {'type': 'list_item', 'content': 'Checking for unexpected file deletions or missing files in the WordPress uploads/product-feeds directory.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict access to the WordPress admin feed management page to trusted administrators only.
- Avoid clicking on suspicious or untrusted links that could trigger the vulnerable functionality.
- If possible, disable or remove the Invelity Product Feeds plugin until a patched version is available.
- Monitor and audit file deletions in the uploads/product-feeds directory to detect any unauthorized activity.
- Apply any available updates or patches from the plugin author addressing this vulnerability.