CVE-2025-14037

High CVSS: 8.1

The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.

Vendor

Product

CWE

CWE-352

Yayın Tarihi

2026-03-21 04:16:51

Güncelleme

2026-03-23 14:32:02

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-352 HIGH 2026

Referanslar

http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/admin/classPluginSettingsManageFeedPage.php?marks=60#L60 https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79d-702fd6be9cfa?source=cve