CVE-2025-14037HIGH 8.1EPSS p6.9%

CVE-2025-14037CVE-2025-14037

Description

The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H
EPSS0.17% probability of exploitation · percentile 6.9% · 2026-06-18T12:00:27Z
Published2026-03-21
Last modified2026-04-22

Underlying weaknesses· 1

CWE-352

References

  1. http://plugins.trac.wordpress.org/browser/invelity-products-feeds/trunk/classes/admin/classPluginSettingsManageFeedPage.php?marks=60#L60
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/8f95276c-7486-4dbe-a79d-702fd6be9cfa?source=cve

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-3055
CVE
CVE-2025-2007
CVE
CVE-2025-10058
CVE
CVE-2025-10916
CVE
CVE-2025-14344
CVE
CVE-2025-7643
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.