CVE-2025-14037

Published: Mar 21, 2026 Last Modified: Mar 21, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: high

User Interaction: required

Scope: changed

Confidentiality: none

Integrity: high

Availability: high

Description

AI Translation Available

The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.

352

Cross-Site Request Forgery (CSRF)

Stable

Abstraction: Compound Structure: Composite

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Non-Repudiation Access Control

Potential Impacts:

Gain Privileges Or Assume Identity Bypass Protection Mechanism Read Application Data Modify Application Data Dos: Crash, Exit, Or Restart

Applicable Platforms

Technologies: Web Based, Web Server

Likelihood of Exploit: Medium

View CWE Details

http://plugins.trac.wordpress.org/browser/invelity-products…

http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes…

https://www.wordfence.com/threat-intel/vulnerabilities/id/8…

https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a7…

CVE-2025-14037

Description

Cross-Site Request Forgery (CSRF)

Common Consequences

Applicable Platforms

Iscriviti alla newsletter