Primary

Context

BuddyPress Xprofile Custom Field Types Arbitrary File Deletion Vulnerability

Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the BuddyPress Xprofile Custom Field Types plugin for WordPress, affecting all versions through 1.2.8. This vulnerability arises from inadequate file path validation in the 'delete_field' function, enabling authenticated attackers with Subscriber-level access or higher to delete arbitrary files from the server. Exploiting this vulnerability could lead to remote code execution, particularly if a critical file such as wp-config.php is deleted.

Impact

Successful exploitation allows authenticated users with Subscriber-level access and above to delete arbitrary files on the server, potentially leading to remote code execution.

Remediation

Users are advised to update the BuddyPress Xprofile Custom Field Types plugin to version 1.3.0 or later.

Added: Jan 6, 2026, 5:18 AM

Updated: Jan 6, 2026, 5:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.9

remediation

7.7

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.9

remediation

7.7

relevance

1.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BuddyPress Xprofile Custom Field Types Arbitrary File Deletion Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating