CVE-2025-5014
Published: 02 July 2025
Summary
CVE-2025-5014 is a high-severity Path Traversal (CWE-22) vulnerability in Localhost:1337 (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Home Villas Real Estate WordPress theme is vulnerable to arbitrary file deletion in all versions through 2.8. The flaw stems from insufficient path validation inside the wp_rem_cs_widget_file_delete function, which permits path traversal and is tracked as CWE-22. The issue carries a CVSS 3.1 score of 8.8.
Authenticated users with Subscriber privileges or higher can invoke the function over the network to delete arbitrary files on the underlying server. Successful deletion of files such as wp-config.php can be chained to achieve remote code execution and full site compromise.
EPSS for the vulnerability has remained flat at 0.0334 with no material increase since disclosure. The supplied references point to the vulnerable code path and a Wordfence advisory entry but contain no details on patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19678
Vulnerability details
The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for…
more
authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.