CVE-2025-14868
Published: 16 April 2026
Summary
CVE-2025-14868 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses missing nonce validation and insufficient file path validation by requiring comprehensive checks on inputs for the delete action to block CSRF and path traversal.
Enforces mechanisms like CSRF tokens or nonces to protect session authenticity, preventing unauthenticated attackers from forging admin requests to delete arbitrary files.
Requires timely flaw remediation, including patching the Career Section plugin beyond version 1.6 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WordPress plugin directly enables remote exploitation of web apps (T1190) to perform arbitrary file deletion, facilitating data destruction (T1485).
NVD Description
The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation…
more
on the delete action in the 'appform_options_page_html' function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Deeper analysisAI
CVE-2025-14868 is a Cross-Site Request Forgery (CSRF) vulnerability in the Career Section plugin for WordPress, affecting all versions up to and including 1.6. The flaw enables Path Traversal and Arbitrary File Deletion due to missing nonce validation and insufficient file path validation in the delete action of the 'appform_options_page_html' function. Published on 2026-04-16, it is associated with CWE-22 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking a malicious link, which triggers a forged request to delete arbitrary files on the server. Successful exploitation requires user interaction from an authenticated administrator but no prior privileges, allowing remote network-based attacks with low complexity and significant impacts on confidentiality, integrity, and availability.
Mitigation details are provided in advisories from Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/84936b68-923a-4da1-ae67-1d63d025342e?source=cve) and a patch via WordPress plugin trac changeset 3474216 (https://plugins.trac.wordpress.org/changeset/3474216/career-section), which security practitioners should apply by updating the plugin beyond version 1.6.
Details
- CWE(s)