Vulnerability Description
The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79
FAQ
What is CVE-2025-14037?
CVE-2025-14037 is a vulnerability with a CVSS score of 8.1 (HIGH). The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitizat...
How severe is CVE-2025-14037?
CVE-2025-14037 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14037?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.