CVE-2025-14804
Published: 07 January 2026
Summary
CVE-2025-14804 is a high-severity an unspecified weakness vulnerability. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-14804 is a vulnerability in the Frontend File Manager Plugin for WordPress, affecting versions prior to 23.5. The flaw arises from the plugin's failure to properly validate a path parameter and verify file ownership, which permits unauthorized file manipulation. Assigned a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N), it highlights network-based exploitation with low complexity and privileges required, resulting in high integrity impact across a changed scope.
Any authenticated WordPress user, including low-privilege accounts such as subscribers, can exploit this vulnerability remotely without user interaction. Attackers can delete arbitrary files on the server by crafting requests that bypass the inadequate controls, potentially disrupting site functionality, causing denial of service, or enabling further attacks if sensitive configuration files or dependencies are targeted.
WPScan advisories (https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-2181e53abb46/) detail the issue and recommend updating the Frontend File Manager Plugin to version 23.5 or later as the primary mitigation, which introduces proper path validation and ownership checks to prevent unauthorized deletions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1227
Vulnerability details
The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote authenticated exploitation for arbitrary file deletion, directly mapping to public app exploitation and data destruction.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of path parameters to block path traversal exploits enabling arbitrary file deletion.
AC-3 enforces access controls including file ownership checks to prevent unauthorized deletions by low-privilege authenticated users.
AC-6 least privilege limits file deletion to authorized users only, reducing risk from subscriber exploitation of the plugin endpoint.