CVE-2025-7846
Published: 31 October 2025
Summary
CVE-2025-7846 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient file path validation in save_fields() by requiring validation of inputs to block absolute path traversal and arbitrary file deletion.
Mandates timely remediation of the plugin flaw through patching or correction to eliminate the arbitrary file deletion vulnerability.
Enforces least privilege to restrict Subscriber-level users from accessing file deletion functions, mitigating the low-privilege authenticated exploit vector.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in a WordPress plugin enables exploitation of a public-facing web application (T1190). With low-privilege (Subscriber) access, arbitrary file deletion facilitates privilege escalation to full server compromise (T1068).
NVD Description
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with…
more
Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Deeper analysisAI
CVE-2025-7846 is an arbitrary file deletion vulnerability in the WordPress User Extra Fields plugin for WordPress, affecting all versions up to and including 16.7. The issue stems from insufficient file path validation in the save_fields() function, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-36 (Absolute Path Traversal). Published on 2025-10-31, it allows attackers to target and remove files on the server without proper restrictions.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating file paths, they can delete arbitrary files, potentially leading to remote code execution—for instance, by removing critical configuration files like wp-config.php, which could disrupt site functionality or enable further compromise.
Mitigation details are available in related advisories, including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve and the plugin's CodeCanyon page at https://codecanyon.net/item/user-extra-fields/12949844. Security practitioners should review these for patch availability or workaround guidance specific to the plugin.
Details
- CWE(s)