logo

Database

Lack of data validation - Path Traversal In wpmetabox/meta-box

Description

Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-146752. NVD-2025-146753. OSV-2025-146754. GCVE-2025-14675

References

1. https://github.com/wpmetabox/meta-box/pull/16542. https://github.com/wpmetabox/meta-box/commit/08c6511607b9cc9fe8d0de7a7e91c9d5d415f8313. https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L304. https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L545. https://plugins.trac.wordpress.org/changeset/3475210/meta-box#file36. https://www.wordfence.com/threat-intel/vulnerabilities/id/036467de-95bb-4bfd-9522-df8dc17f3102?source=cve

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-ACFWT – Vulnerability | Fluid Attacks Database