CVE-2025-7846 Overview
CVE-2025-7846 is an arbitrary file deletion vulnerability in the WordPress User Extra Fields plugin. The flaw exists in the save_fields() function and affects all plugin versions up to and including 16.7. Insufficient file path validation allows authenticated users with Subscriber-level access or higher to delete arbitrary files on the server. Deleting sensitive files such as wp-config.php can trigger WordPress reinstallation flows that lead to remote code execution. The vulnerability is classified under [CWE-36] (Absolute Path Traversal).
Critical Impact
Authenticated Subscriber-level attackers can delete arbitrary server files, enabling site takeover and remote code execution by removing wp-config.php.
Affected Products
- WordPress User Extra Fields plugin versions up to and including 16.7
- WordPress sites with the User Extra Fields plugin installed and active
- Any WordPress installation permitting Subscriber-level registration with this plugin enabled
Discovery Timeline
- 2025-10-31 - CVE-2025-7846 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7846
Vulnerability Analysis
The vulnerability resides in the save_fields() function of the User Extra Fields plugin. The function accepts user-supplied input that influences file paths processed during field-save operations. The plugin fails to validate or sanitize these paths against a restricted directory boundary.
An authenticated attacker submits a crafted request supplying an absolute or traversal-laden path. The plugin then performs a file deletion operation on the target path with the privileges of the web server process. Because Subscriber-level accounts are commonly obtainable on sites with open registration, the prerequisite barrier is low.
Deleting wp-config.php is a recognized path to remote code execution on WordPress. When this file is absent, WordPress treats the installation as new and re-runs the setup wizard, allowing an attacker to point the site at an attacker-controlled database and execute arbitrary PHP through plugin or theme uploads.
Root Cause
The save_fields() function lacks proper validation of file path parameters before invoking deletion routines. The plugin trusts client-supplied path components without enforcing an allow-list of permitted directories or filenames. This mapping of [CWE-36] permits absolute path references that escape the intended upload directory.
Attack Vector
Exploitation requires network access to the target WordPress site and an authenticated session at Subscriber level or above. The attacker submits a crafted POST request to the plugin's field-save endpoint with a manipulated file path parameter. No user interaction is required beyond the attacker's own authenticated request. The EPSS score of 0.70% places this vulnerability in the 72nd percentile for likelihood of exploitation activity.
No verified proof-of-concept code is publicly available.
Refer to the Wordfence advisory for further technical detail:
https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d
Detection Methods for CVE-2025-7846
Indicators of Compromise
- Unexpected absence of wp-config.php, .htaccess, or core WordPress files on the web root
- WordPress installation wizard (/wp-admin/install.php) appearing on a previously configured site
- New Subscriber accounts created shortly before file deletion events in webserver logs
- POST requests targeting User Extra Fields plugin endpoints with path parameters containing ../ or absolute paths beginning with /
Detection Strategies
- Monitor file integrity on WordPress core files and plugin directories using checksum baselining
- Inspect access logs for authenticated requests to User Extra Fields admin-ajax actions that include suspicious path parameters
- Correlate Subscriber account registrations with subsequent file-modification or deletion events
Monitoring Recommendations
- Enable WordPress audit logging for user registration, role assignment, and plugin activity
- Ship webserver and PHP error logs to a centralized analytics platform for query and alerting
- Alert on unexpected invocations of PHP unlink() or filesystem deletion calls within the WordPress directory tree
- Track HTTP 404 spikes on wp-config.php or other core file paths, which often follow a successful deletion
How to Mitigate CVE-2025-7846
Immediate Actions Required
- Disable the User Extra Fields plugin until a patched version is installed
- Restrict WordPress user registration or change the default new-user role away from Subscriber where feasible
- Audit existing user accounts and remove unrecognized Subscriber-level accounts
- Back up wp-config.php and other critical files to an out-of-band location
Patch Information
At the time of publication, the vendor advisory referenced by Wordfence identifies versions up to and including 16.7 as vulnerable. Site administrators should consult the CodeCanyon Plugin Details and the Wordfence Vulnerability Report for the latest fixed version and upgrade instructions.
Workarounds
- Apply web application firewall rules that block requests containing path traversal sequences to plugin endpoints
- Restrict filesystem permissions so the web server user cannot delete files outside the uploads directory
- Temporarily set define('DISALLOW_FILE_MODS', true); in wp-config.php to limit plugin filesystem operations
- Place wp-config.php one directory above the WordPress web root where supported
# Example: harden filesystem permissions on the WordPress web root
chown -R root:www-data /var/www/wordpress
find /var/www/wordpress -type d -exec chmod 755 {} \;
find /var/www/wordpress -type f -exec chmod 644 {} \;
chmod 600 /var/www/wordpress/wp-config.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

