A high-severity vulnerability has been identified in the BuddyPress Xprofile Custom Field Types plugin for WordPress. This flaw allows an attacker to delete arbitrary files on the server, which could lead to a complete website outage, data loss, or the removal of critical security configurations. Organizations using this plugin are at significant risk of operational disruption and should take immediate action to remediate.

The vulnerability exists within the delete_field function of the plugin. This function fails to properly validate the file paths provided in user-supplied input. An authenticated attacker can exploit this by crafting a malicious request containing path traversal sequences (e.g., ../../) to target and delete files outside of the plugin's intended directories. This could allow for the deletion of critical WordPress core files (such as wp-config.php), web server configuration files (.htaccess), or any other file the web server process has permission to delete.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant business impact, including a complete Denial of Service (DoS) if core application files are deleted, rendering the website inaccessible. The deletion of configuration files could disable security controls, potentially exposing the site to further attacks. The loss of critical data or media files could result in financial costs for restoration, damage to the organization's reputation, and disruption of business operations that rely on the website's availability and integrity.

Immediate Action: Immediately update the "BuddyPress Xprofile Custom Field Types" plugin to the latest patched version provided by the vendor. If this plugin is not critical to business operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.

Proactive Monitoring: Implement monitoring of web server access logs for suspicious POST requests targeting the plugin's administrative functions, specifically looking for path traversal payloads (../, %2e%2e/) within the request parameters. A File Integrity Monitoring (FIM) solution should be deployed to immediately alert on any unauthorized deletions or modifications to WordPress core files and sensitive configuration files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks. Additionally, enforce least-privilege file permissions on the web server to restrict the web process user from deleting critical system or application files outside of its designated directories. Restrict access to the WordPress administrative dashboard to trusted IP addresses only.

Public Exploit Available: false

Given the high severity rating (CVSS 7.2) and the potential for a complete site takedown, it is strongly recommended that organizations treat this vulnerability as a high priority. All administrators should immediately identify WordPress instances running the "BuddyPress Xprofile Custom Field Types" plugin and apply the necessary updates without delay. Although this vulnerability is not currently listed on the CISA KEV list, its potential for destructive impact warrants immediate attention and remediation.