Cyber Resilience

CVE-2025-5014

High

Published: 02 July 2025

Published
02 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0334 87.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5014 is a high-severity Path Traversal (CWE-22) vulnerability in Localhost:1337 (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Home Villas Real Estate WordPress theme is vulnerable to arbitrary file deletion in all versions through 2.8. The flaw stems from insufficient path validation inside the wp_rem_cs_widget_file_delete function, which permits path traversal and is tracked as CWE-22. The issue carries a CVSS 3.1 score of 8.8.

Authenticated users with Subscriber privileges or higher can invoke the function over the network to delete arbitrary files on the underlying server. Successful deletion of files such as wp-config.php can be chained to achieve remote code execution and full site compromise.

EPSS for the vulnerability has remained flat at 0.0334 with no material increase since disclosure. The supplied references point to the vulnerable code path and a Wordfence advisory entry but contain no details on patches or mitigation steps.

EU & UK References

Vulnerability details

The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for…

more

authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Localhost:1337
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References