Cyber Resilience

CVE-2025-14829

Critical

Published: 13 January 2026

Published
13 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0027 18.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-14829 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14829 is a critical vulnerability in the E-xact | Hosted Payment WordPress plugin through version 2.0, stemming from insufficient file path validation that enables arbitrary file deletion. Published on 2026-01-13, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its high impact on integrity and availability with no confidentiality impact.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows deletion of arbitrary files on the affected server, potentially disrupting services, destroying data, or enabling further compromise by targeting critical configuration files, logs, or other system resources.

Mitigation details are outlined in the WPScan advisory at https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/. Security practitioners should review it for patching guidance, such as updating to a fixed version if available or implementing compensating controls like file permission hardening.

EU & UK References

Vulnerability details

The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

CWE(s)
None listed

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Unauthenticated remote exploitation of public-facing WordPress plugin (T1190) enables arbitrary file deletion for indicator removal (T1070.004) and data destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly counters the insufficient file path validation by requiring organizations to validate all inputs, preventing arbitrary file deletion via malicious paths.

prevent

Mandates timely flaw remediation, such as patching the vulnerable E-xact WordPress plugin, to eliminate the arbitrary file deletion capability.

prevent

Restricts logical access for changes like file deletions, providing compensating protection through hardened file permissions even if path validation fails.

References