CVE-2025-14675
Published: 07 March 2026
Summary
CVE-2025-14675 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The Meta Box plugin for WordPress is affected by CVE-2025-14675, an arbitrary file deletion vulnerability stemming from insufficient file path validation in the ajax_delete_file function. The flaw impacts all versions through 5.11.1 and is tracked under CWE-22 path traversal. It carries a CVSS 3.1 score of 7.2, reflecting high confidentiality, integrity, and availability impact when exploited over the network.
Authenticated users with Contributor-level privileges or higher can exploit the issue by supplying crafted file paths through the affected AJAX handler, enabling deletion of arbitrary files on the underlying server. Successful deletion of critical files such as wp-config.php can readily result in remote code execution and full site compromise.
Public references point to a fix merged in pull request 1654 and reflected in changeset 3475210, with the vulnerable code located in inc/fields/file.php of versions up to 5.11.0. The Wordfence advisory recommends updating the plugin to a patched release to eliminate the path validation weakness. The associated EPSS score remains flat at 0.0101 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208353
Vulnerability details
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access…
more
and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WP plugin enables authenticated arbitrary file deletion (T1070.004) and facilitates initial access via exploitation of the exposed application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of file-path inputs in ajax_delete_file to block traversal and arbitrary deletion.
Enforces that Contributor-level sessions cannot perform file-delete operations outside the intended Meta Box scope.
Mandates timely application of the published patch (PR 1654 / changeset 3475210) that corrects the path-validation flaw.