Arbitrary File Deletion in WordPress User Extra Fields Plugin
CVE-2025-7846

8.8HIGH

Key Information:

Vendor: WordPress
Status: WordPress User Extra Fields
Vendor: CVE Published:; 31 October 2025

What is CVE-2025-7846?

The WordPress User Extra Fields plugin is affected by a vulnerability that allows authenticated users with Subscriber-level access and above to execute arbitrary file deletions on the server. This arises from inadequate validation of file paths in the save_fields() function. An attacker could exploit this flaw to delete critical files, potentially leading to remote code execution, particularly if key configuration files like wp-config.php are targeted. Users are advised to update to the latest version and implement security measures to mitigate risks.

Affected Version(s)

WordPress User Extra Fields * <= 16.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://codecanyon.net/item/user-extra-fields/12949844

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2025
Vulnerability Reserved
Jul 18, 2025

Credit

Tonn

JSON