CVE-2025-14675
Arbitrary File Deletion in Meta Box Plugin Enables RCE
Publication date: 2026-03-07
Last updated on: 2026-03-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| meta_box | meta_box | to 5.11.1 (inc) |
| meta_box | meta_box | 5.11.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The Meta Box plugin for WordPress has a vulnerability in its 'ajax_delete_file' function that allows authenticated users with Contributor-level access or higher to delete arbitrary files on the server. This happens because the plugin does not properly validate file paths before deleting files, enabling attackers to perform path traversal attacks. By deleting critical files such as wp-config.php, attackers can potentially execute remote code on the server."}, {'type': 'paragraph', 'content': 'The vulnerability was fixed by introducing strict validation to ensure that any file path provided for deletion is confined within the designated upload directory, preventing attackers from deleting unauthorized files outside this directory.'}] [1, 4]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized deletion of arbitrary files on your server by attackers with Contributor-level access or above. Such file deletions can lead to loss of important data or configuration files.
More critically, deleting key files like wp-config.php can enable remote code execution, allowing attackers to take full control of your WordPress site and potentially the underlying server.
Overall, this can compromise the integrity, availability, and confidentiality of your website and server environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts to exploit the arbitrary file deletion via the 'ajax_delete_file' function in the Meta Box WordPress plugin. Since the vulnerability allows authenticated users with Contributor-level access or higher to delete arbitrary files by manipulating file paths, monitoring for suspicious AJAX requests to the 'ajax_delete_file' endpoint with unusual or path traversal patterns is key.
You can check your web server logs for POST requests to the AJAX handler related to file deletion, looking for parameters that include path traversal sequences such as '../'.
- Use grep or similar tools to search for suspicious AJAX delete requests in your access logs, for example:
- grep -i 'ajax_delete_file' /var/log/apache2/access.log | grep '\.\./'
- Monitor WordPress user activity logs for Contributor-level or higher users performing file deletion actions.
- Use WordPress security plugins or monitoring tools that can alert on unusual file deletion or path traversal attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the Meta Box WordPress plugin to version 5.11.2 or later, where the vulnerability has been fixed by enforcing strict path validation and sanitization to prevent arbitrary file deletion.
This update includes validation of the resolved file path against the allowed upload directory and sanitization to reject URLs containing path traversal sequences.
Additionally, restrict Contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated access at that level.
If immediate updating is not possible, consider temporarily disabling or restricting access to the vulnerable AJAX file deletion functionality, or applying custom code to validate file paths before deletion.