CVE-2025-14675 Overview
The Meta Box plugin for WordPress contains an arbitrary file deletion vulnerability due to insufficient file path validation in the ajax_delete_file function. This vulnerability affects all versions up to and including 5.11.1, allowing authenticated attackers with Contributor-level access and above to delete arbitrary files on the server. When critical files such as wp-config.php are deleted, this can lead to remote code execution and complete site compromise.
Critical Impact
Authenticated attackers can delete arbitrary server files including wp-config.php, potentially leading to remote code execution and complete WordPress site takeover.
Affected Products
- Meta Box WordPress Plugin versions up to and including 5.11.1
- WordPress installations using vulnerable Meta Box plugin versions
- Websites with Contributor-level or higher user accounts
Discovery Timeline
- 2026-03-07 - CVE CVE-2025-14675 published to NVD
- 2026-03-09 - Last updated in NVD database
Technical Details for CVE-2025-14675
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), which occurs when the application fails to properly validate or sanitize file paths provided by users. The ajax_delete_file function in the Meta Box plugin processes file deletion requests without adequately verifying that the target file path is within the expected directory boundaries.
The vulnerability requires authentication but only needs Contributor-level privileges, which is a relatively low permission threshold in WordPress environments. Contributors are typically trusted only to write and manage their own posts, not to manipulate server files. The network-accessible nature of this vulnerability means attackers can exploit it remotely once they have valid credentials.
Root Cause
The root cause lies in the insufficient file path validation within the ajax_delete_file function located in the inc/fields/file.php file. The function fails to properly sanitize user-supplied input before performing file deletion operations, allowing path traversal sequences to escape the intended upload directory and access files elsewhere on the server filesystem.
Attack Vector
An authenticated attacker with Contributor-level access can craft malicious AJAX requests to the ajax_delete_file endpoint. By including path traversal sequences (such as ../) in the file path parameter, the attacker can specify files outside the intended upload directory. This allows targeting critical WordPress files like wp-config.php, which contains database credentials and security keys.
When wp-config.php is deleted, WordPress becomes unconfigured and may allow an attacker to reinitialize the installation, effectively taking complete control of the site. The deletion of other critical system files can cause denial of service or create conditions favorable for further exploitation.
Detection Methods for CVE-2025-14675
Indicators of Compromise
- Unexpected deletion of critical WordPress files such as wp-config.php, .htaccess, or plugin files
- AJAX requests to the Meta Box plugin's file deletion endpoint containing path traversal patterns (../)
- Web server logs showing POST requests to admin-ajax.php with action=rwmb_delete_file or similar Meta Box actions
- Missing configuration files leading to WordPress installation prompts or database connection errors
Detection Strategies
- Monitor web server access logs for AJAX requests containing path traversal sequences targeting Meta Box endpoints
- Implement file integrity monitoring to detect unauthorized deletion of critical WordPress files
- Review audit logs for file deletion activities from accounts with Contributor-level access
- Deploy Web Application Firewall (WAF) rules to block path traversal patterns in file operation requests
Monitoring Recommendations
- Enable WordPress activity logging plugins to track file operations and AJAX requests
- Configure alerts for critical file modifications or deletions in the WordPress root directory
- Monitor for unusual patterns of file deletion requests from authenticated users
- Implement real-time file system monitoring for WordPress core files and configurations
How to Mitigate CVE-2025-14675
Immediate Actions Required
- Update the Meta Box plugin to the latest patched version immediately
- Review and restrict Contributor-level account access where possible
- Audit existing user accounts for unauthorized or suspicious accounts
- Verify the integrity of critical WordPress files including wp-config.php
- Consider temporarily disabling the Meta Box plugin until patching is complete
Patch Information
The vulnerability has been addressed by the plugin developers. The fix can be reviewed in the GitHub Pull Request #1654 and the WordPress Plugin Changeset #3475210. Users should update to the latest available version of the Meta Box plugin through the WordPress plugin repository. Additional technical details are available in the Wordfence Vulnerability Report.
Workarounds
- Restrict user registration and limit Contributor-level account creation
- Implement file system permissions to protect critical files from deletion by the web server user
- Deploy a Web Application Firewall (WAF) with rules to block path traversal attempts
- Consider using security plugins that provide additional file protection capabilities
- Create regular backups of critical WordPress files to enable quick recovery if compromise occurs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
