CVE-2025-14037

EUVD-2025-208918

21.03.2026, 04:16

The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.

CSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H
Wordfence	CNA	8.1 HIGH				CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-352 - Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References

http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/admin/classPluginSettingsManageFeedPage.php?marks=60#L60

https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79d-702fd6be9cfa?source=cve