CVE Alert: CVE-2025-7846 – vanquish – WordPress User Extra Fields
CVE-2025-7846
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
AI Summary Analysis
Risk verdict
High risk: authenticated (Subscriber+) access can trigger arbitrary file deletion with a high potential for remote code execution; patching and containment should be a priority.
Why this matters
Deleting arbitrary files such as wp-config.php could fully compromise a WordPress site, lead to credential exposure, or enable web shell access. The combination of low-preconditions (low-privilege authenticated user), high impact (C/H/I/A), and network attack vector makes targeted exploitation feasible on insecure deployments.
Most likely attack path
An authenticated Subscriber+ user submits an action to the WordPress User Extra Fields plugin (save_fields) with insufficient path validation. The flaw permits deleting arbitrary files, and in the right circumstances this can enable remote code execution. No user interaction is required beyond valid login, and the attacker could move from a compromised plugin action to broader site compromise if critical files are deleted or replaced.
Who is most exposed
Sites running WordPress with this plugin, especially on shared hosting or public-facing instances, are at greatest risk. Deployments that have not updated the plugin or restricted subscriber capabilities are particularly vulnerable.
Detection ideas
- Monitor for abnormal file deletion events, especially wp-config.php or other critical webroot files.
- Log and alert on save_fields requests and unusual parameters or file paths.
- Inspect web server and application logs for direct deletion attempts via plugin endpoints.
- File integrity monitoring focusing on core WordPress files and plugin directories.
Mitigation and prioritisation
- Apply the latest plugin version (16.7 or newer) or remove the plugin if a patch is unavailable.
- Enforce least privilege for users; disable file-deletion capabilities for subscribers if feasible.
- Implement file integrity monitoring and regular backups with tested restoration procedures.
- Restrict webroot write access and harden path validation in the plugin; consider WAF rules to block suspicious file operations.
- Treat as priority 2–1 in line with internal risk appetite; escalate if KEV/EPSS indicators emerge.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
