CVE-2025-14829

E-xact · Hosted Payment WordPress plugin

The E-xact Hosted Payment WordPress plugin is vulnerable to arbitrary file deletion via insufficient file path validation, allowing unauthenticated attackers to delete critical server files.

Executive summary

A critical arbitrary file deletion vulnerability in the E-xact Hosted Payment plugin allows unauthenticated attackers to compromise server integrity.

Vulnerability

This vulnerability arises from improper validation of file paths, which permits unauthenticated remote attackers to delete arbitrary files from the host server. The flaw exists within the plugin's file handling mechanisms.

Business impact

Successful exploitation of this vulnerability could lead to total system compromise, including the deletion of critical configuration files, WordPress core files, or security-sensitive data. With a CVSS score of 9.1, this flaw poses a severe threat to operational continuity and data integrity, potentially resulting in complete service downtime.

Remediation

Immediate Action: Identify and disable the E-xact Hosted Payment plugin immediately until a security patch is released by the vendor.

Proactive Monitoring: Monitor server logs for unusual file deletion requests or unauthorized access patterns targeting the WordPress plugin directory.

Compensating Controls: Implement a Web Application Firewall (WAF) to block requests containing malicious directory traversal patterns commonly used for file manipulation.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical CVSS severity and the unauthenticated nature of the attack, this vulnerability poses a significant risk to any WordPress environment utilizing the affected plugin. Administrators should prioritize removing or restricting access to the plugin until an official security update is verified and installed.