A high-severity vulnerability has been identified in the WordPress User Extra Fields plugin, impacting all versions up to and including 16. The flaw allows an authenticated attacker to delete arbitrary files on the server, which could lead to a complete website outage, data loss, or further system compromise. Immediate action is required to update or remove the affected plugin to mitigate the significant risk to website availability and integrity.

The vulnerability exists within the save_fields() function of the User Extra Fields plugin. This function fails to properly sanitize or validate user-supplied input for file paths. An authenticated attacker can exploit this by crafting a malicious request containing path traversal sequences (e.g., ../../) to target and delete files outside of the intended directory, including critical WordPress core files like wp-config.php or sensitive system files, depending on the web server's file permissions.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant threat to business operations. Successful exploitation could lead to a complete denial of service if critical application or server configuration files are deleted, resulting in website downtime and potential revenue loss. The deletion of sensitive data or backups could cause irrecoverable data loss and compromise data integrity. This could also serve as a precursor to a more complex attack, where an attacker deletes security logs or configuration files to cover their tracks or escalate privileges.

Immediate Action: Immediately update the WordPress User Extra Fields plugin to the latest version available from the vendor, which will be higher than version 16. If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate this attack vector.

Proactive Monitoring: Implement monitoring of web server access logs for suspicious POST requests to the plugin's administrative functions, specifically looking for path traversal payloads (e.g., ../, %2e%2e%2f). Utilize a File Integrity Monitoring (FIM) solution to generate alerts for any unauthorized changes or deletions of critical WordPress core files, server configuration files, and other sensitive system files.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to detect and block path traversal attacks. Enforce the principle of least privilege by hardening file system permissions to ensure the web server's user account cannot write to or delete files outside of its designated directories. Restrict access to the WordPress administrative dashboard to trusted IP addresses only.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the critical impact of a successful attack, it is strongly recommended that organizations treat this vulnerability as a high priority. All instances of the WordPress User Extra Fields plugin must be identified and remediated immediately by updating to the latest patched version or by removing the plugin entirely. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants urgent attention to prevent potential website compromise and operational disruption.