High severity8.8NVD Advisory· Published Apr 29, 2026· Updated Apr 30, 2026
CVE-2018-25308
CVE-2018-25308
Description
BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: =2.6.3
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.