Cyber Resilience

CVE-2025-14675

High

Published: 07 March 2026

Published
07 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0101 77.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14675 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The Meta Box plugin for WordPress is affected by CVE-2025-14675, an arbitrary file deletion vulnerability stemming from insufficient file path validation in the ajax_delete_file function. The flaw impacts all versions through 5.11.1 and is tracked under CWE-22 path traversal. It carries a CVSS 3.1 score of 7.2, reflecting high confidentiality, integrity, and availability impact when exploited over the network.

Authenticated users with Contributor-level privileges or higher can exploit the issue by supplying crafted file paths through the affected AJAX handler, enabling deletion of arbitrary files on the underlying server. Successful deletion of critical files such as wp-config.php can readily result in remote code execution and full site compromise.

Public references point to a fix merged in pull request 1654 and reflected in changeset 3475210, with the vulnerable code located in inc/fields/file.php of versions up to 5.11.0. The Wordfence advisory recommends updating the plugin to a patched release to eliminate the path validation weakness. The associated EPSS score remains flat at 0.0101 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access…

more

and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal in public-facing WP plugin enables authenticated arbitrary file deletion (T1070.004) and facilitates initial access via exploitation of the exposed application (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-65792Shared CWE-22
CVE-2026-4758Shared CWE-22
CVE-2026-0704Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file-path inputs in ajax_delete_file to block traversal and arbitrary deletion.

prevent

Enforces that Contributor-level sessions cannot perform file-delete operations outside the intended Meta Box scope.

prevent

Mandates timely application of the published patch (PR 1654 / changeset 3475210) that corrects the path-validation flaw.

References