Cyber Posture

CVE-2025-14675

High

Published: 07 March 2026

Published
07 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0097 76.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14675 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

Path traversal in public-facing WP plugin enables authenticated arbitrary file deletion (T1070.004) and facilitates initial access via exploitation of the exposed application (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access…

more

and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Deeper analysisAI

CVE-2025-14675 is a vulnerability in the Meta Box plugin for WordPress that enables arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function. It affects all versions of the plugin up to and including 5.11.1. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity. By leveraging the flawed validation, they can delete arbitrary files on the server, potentially leading to remote code execution—for instance, by targeting critical files like wp-config.php.

Mitigation is addressed in advisories and patches referenced in the CVE details. A fix is available via GitHub pull request 1654 in the wpmetabox/meta-box repository, with corresponding changes in WordPress plugin trac changeset 3475210. Security practitioners should update to a version beyond 5.11.1, as detailed in the Wordfence threat intelligence report and code diffs at the provided trac locations.

Details

CWE(s)
CWE-22

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-2328Shared CWE-22
CVE-2025-66251Shared CWE-22
CVE-2025-6439Shared CWE-22
CVE-2025-14344Shared CWE-22
CVE-2026-6832Shared CWE-22
CVE-2026-34728Shared CWE-22
CVE-2025-65792Shared CWE-22
CVE-2025-1336Shared CWE-22
CVE-2025-66410Shared CWE-22
CVE-2026-41058Shared CWE-22

References