High severity8.8NVD Advisory· Published Apr 29, 2026· Updated Apr 30, 2026

CVE-2018-25308

Description

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lenonleite.com.brnvd
www.exploit-db.com/exploits/44432nvd
www.vulncheck.com/advisories/buddypress-xprofile-custom-fields-type-remote-code-executionnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000