High severity7.2NVD Advisory· Published Mar 7, 2026· Updated Apr 22, 2026
CVE-2025-14675
CVE-2025-14675
Description
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wpmetabox/meta-boxPackagist | < 5.11.2 | 5.11.2 |
Affected products
1Patches
108c6511607b9fix(security): prevent path traversal in ajax_delete_file (#1654)
2 files changed · +19 −3
inc/fields/file.php+11 −2 modified@@ -51,8 +51,17 @@ public static function ajax_delete_file() { if ( is_numeric( $attachment ) ) { $result = wp_delete_attachment( $attachment ); } else { - $path = str_replace( home_url( '/' ), trailingslashit( ABSPATH ), $attachment ); - $result = unlink( $path ); // phpcs:ignore WordPress.WP.AlternativeFunctions.unlink_unlink + $path = str_replace( home_url( '/' ), trailingslashit( ABSPATH ), $attachment ); + + // Security: validate resolved path is within $field['upload_dir'] directory. + $real_path = realpath( $path ); + $real_path = wp_normalize_path( $real_path ); + $allowed_base = ! empty( $field['upload_dir'] ) ? wp_normalize_path( $field['upload_dir'] ) : ''; + if ( ! $real_path || ! $allowed_base || ! str_starts_with( $real_path, $allowed_base ) ) { + wp_send_json_error( __( 'Error: The file is outside the allowed upload directory', 'meta-box' ) ); + } + + $result = unlink( $real_path ); // phpcs:ignore WordPress.WP.AlternativeFunctions.unlink_unlink } if ( $result ) {
inc/sanitizer.php+8 −1 modified@@ -205,7 +205,14 @@ private function sanitize_text( $value ) { * @return array */ private function sanitize_file( $value, $field ) { - return $field['upload_dir'] ? array_map( 'esc_url_raw', $value ) : $this->sanitize_object( $value ); + if ( ! $field['upload_dir'] ) { + return $this->sanitize_object( $value ); + } + + // Security: sanitize URLs and reject path traversal sequences. + return array_filter( array_map( function ( $url ) { + return str_contains( $url, '..' ) ? '' : esc_url_raw( $url ); + }, $value ) ); } /**
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-m4q3-832v-44j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-14675ghsaADVISORY
- github.com/wpmetabox/meta-box/commit/08c6511607b9cc9fe8d0de7a7e91c9d5d415f831ghsaWEB
- github.com/wpmetabox/meta-box/pull/1654nvdWEB
- plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.phpnvdWEB
- plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.phpnvdWEB
- plugins.trac.wordpress.org/changeset/3475210/meta-boxnvdWEB
- www.wordfence.com/threat-intel/vulnerabilities/id/036467de-95bb-4bfd-9522-df8dc17f3102nvdWEB
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026