CVE-2025-14829
Published: 13 January 2026
Summary
CVE-2025-14829 is a critical-severity an unspecified weakness vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-14829 is a critical vulnerability in the E-xact | Hosted Payment WordPress plugin through version 2.0, stemming from insufficient file path validation that enables arbitrary file deletion. Published on 2026-01-13, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), highlighting its high impact on integrity and availability with no confidentiality impact.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows deletion of arbitrary files on the affected server, potentially disrupting services, destroying data, or enabling further compromise by targeting critical configuration files, logs, or other system resources.
Mitigation details are outlined in the WPScan advisory at https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/. Security practitioners should review it for patching guidance, such as updating to a fixed version if available or implementing compensating controls like file permission hardening.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2349
Vulnerability details
The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing WordPress plugin (T1190) enables arbitrary file deletion for indicator removal (T1070.004) and data destruction (T1485).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly counters the insufficient file path validation by requiring organizations to validate all inputs, preventing arbitrary file deletion via malicious paths.
Mandates timely flaw remediation, such as patching the vulnerable E-xact WordPress plugin, to eliminate the arbitrary file deletion capability.
Restricts logical access for changes like file deletions, providing compensating protection through hardened file permissions even if path validation fails.