Cyber Resilience

CVE-2025-14804

High

Published: 07 January 2026

Published
07 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
EPSS Score 0.0003 10.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14804 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-14804 is a vulnerability in the Frontend File Manager Plugin for WordPress, affecting versions prior to 23.5. The flaw arises from the plugin's failure to properly validate a path parameter and verify file ownership, which permits unauthorized file manipulation. Assigned a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N), it highlights network-based exploitation with low complexity and privileges required, resulting in high integrity impact across a changed scope.

Any authenticated WordPress user, including low-privilege accounts such as subscribers, can exploit this vulnerability remotely without user interaction. Attackers can delete arbitrary files on the server by crafting requests that bypass the inadequate controls, potentially disrupting site functionality, causing denial of service, or enabling further attacks if sensitive configuration files or dependencies are targeted.

WPScan advisories (https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-2181e53abb46/) detail the issue and recommend updating the Frontend File Manager Plugin to version 23.5 or later as the primary mitigation, which introduces proper path validation and ownership checks to prevent unauthorized deletions.

EU & UK References

Vulnerability details

The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables remote authenticated exploitation for arbitrary file deletion, directly mapping to public app exploitation and data destruction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of path parameters to block path traversal exploits enabling arbitrary file deletion.

prevent

AC-3 enforces access controls including file ownership checks to prevent unauthorized deletions by low-privilege authenticated users.

prevent

AC-6 least privilege limits file deletion to authorized users only, reducing risk from subscriber exploitation of the plugin endpoint.

References