CVE-2018-25308
Authenticated File Deletion in BuddyPress Xprofile Custom Fields Type
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| buddypress | xprofile_custom_fields_type | to 2.6.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The BuddyPress Xprofile Custom Fields Type plugin version 2.6.3 contains a remote code execution vulnerability due to improper input validation and lack of sanitization of certain POST parameters.
Authenticated users can manipulate the parameters field_hiddenfile and field_deleteimg during profile editing to delete arbitrary files on the server. This happens because these parameters are not properly escaped or sanitized, allowing attackers to perform unauthorized file deletion.
By exploiting this, an attacker can unlink files from the server, which can be leveraged to execute malicious code remotely.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized deletion of arbitrary files on the server.
Such file deletions can disrupt website functionality, cause data loss, and potentially allow attackers to execute remote code, leading to full compromise of the affected system.
Because the vulnerability requires only authenticated access, any registered user could exploit it, increasing the risk from insider threats or compromised accounts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual POST requests that manipulate the parameters related to file deletion, specifically the field_hiddenfile and field_deleteimg parameters during profile editing in BuddyPress Xprofile Custom Fields Type plugin version 2.6.3.
One way to detect exploitation attempts is to look for authenticated user POST requests containing these parameters with suspicious or unexpected file paths.
Commands to detect such activity could include inspecting web server logs for POST requests with these parameters. For example, using grep on Apache or Nginx logs:
- grep -i 'field_hiddenfile' /var/log/apache2/access.log
- grep -i 'field_deleteimg' /var/log/apache2/access.log
Additionally, monitoring for unexpected file deletions or changes in the upload directories used by BuddyPress profiles could help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable plugin by limiting authenticated user permissions to prevent unauthorized profile editing that manipulates file deletion parameters.
Disabling or removing the BuddyPress Xprofile Custom Fields Type plugin version 2.6.3 until a patched version is available is recommended.
Implementing web application firewall (WAF) rules to block or sanitize POST requests containing the field_hiddenfile and field_deleteimg parameters can help prevent exploitation.
Regularly monitoring logs for suspicious activity and ensuring backups are in place to recover any deleted files are also important immediate steps.
Can you explain this vulnerability to me?
BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files on the server.
This happens because the application does not properly escape certain POST parameters, specifically field_hiddenfile and field_deleteimg, which can be manipulated during profile editing to unlink files from the server.
How can this vulnerability impact me? :
An attacker who is authenticated can exploit this vulnerability to delete arbitrary files on the server hosting the BuddyPress Xprofile Custom Fields Type 2.6.3.
This can lead to loss of important data, disruption of service, and potentially further exploitation if critical system or application files are removed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 directly affects compliance with common standards and regulations such as GDPR or HIPAA.