CVE-2025-14829
E-xact · Hosted Payment WordPress plugin
The E-xact Hosted Payment WordPress plugin is vulnerable to arbitrary file deletion via insufficient file path validation, allowing unauthenticated attackers to delete critical server files.
Executive summary
A critical arbitrary file deletion vulnerability in the E-xact Hosted Payment plugin allows unauthenticated attackers to compromise server integrity.
Vulnerability
This vulnerability arises from improper validation of file paths, which permits unauthenticated remote attackers to delete arbitrary files from the host server. The flaw exists within the plugin's file handling mechanisms.
Business impact
Successful exploitation of this vulnerability could lead to total system compromise, including the deletion of critical configuration files, WordPress core files, or security-sensitive data. With a CVSS score of 9.1, this flaw poses a severe threat to operational continuity and data integrity, potentially resulting in complete service downtime.
Remediation
Immediate Action: Identify and disable the E-xact Hosted Payment plugin immediately until a security patch is released by the vendor.
Proactive Monitoring: Monitor server logs for unusual file deletion requests or unauthorized access patterns targeting the WordPress plugin directory.
Compensating Controls: Implement a Web Application Firewall (WAF) to block requests containing malicious directory traversal patterns commonly used for file manipulation.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical CVSS severity and the unauthenticated nature of the attack, this vulnerability poses a significant risk to any WordPress environment utilizing the affected plugin. Administrators should prioritize removing or restricting access to the plugin until an official security update is verified and installed.