Cyber Posture

CVE-2018-25308

HighPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0028 51.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from…

more

the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates unescaped POST parameters by requiring validation at input points to block path traversal attacks leading to arbitrary file deletion.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of the specific flaw in BuddyPress Xprofile Custom Fields Type 2.6.3 through patching to eliminate the vulnerability.

AC-3 Access Enforcement partial match
prevent

Enforces logical access controls to restrict authenticated users from deleting arbitrary files via manipulated profile editing parameters.

Security SummaryAI

CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type version 2.6.3, a WordPress plugin extension for BuddyPress. The flaw stems from unescaped POST parameters, specifically field_hiddenfile and field_deleteimg, which attackers can manipulate during profile editing to perform path traversal (CWE-22) and unlink arbitrary files from the server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Authenticated users with low privileges (PR:L) can exploit this vulnerability remotely over the network without user interaction. By crafting malicious values for the vulnerable parameters during a profile edit operation, attackers can delete any file on the server, potentially leading to remote code execution through disruption of critical system files or enabling further compromise.

Advisories and proof-of-concept exploits are documented in references including http://lenonleite.com.br/, https://www.exploit-db.com/exploits/44432, and https://www.vulncheck.com/advisories/buddypress-xprofile-custom-fields-type-remote-code-execution, which detail the issue and exploitation methods. Practitioners should consult these for mitigation guidance, such as updating to a patched version if available or restricting profile editing capabilities.

Details

CWE(s)
CWE-22

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

The vulnerability in a public-facing WordPress plugin enables exploitation of a public-facing application (T1190) through path traversal in unescaped POST parameters, allowing arbitrary file deletion (T1070.004) which facilitates remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References