CVE-2025-7846

CVE-2025-7846 is an arbitrary file deletion vulnerability in the WordPress User Extra Fields plugin for WordPress, affecting all versions up to and including 16.7. The issue stems from insufficient file path validation in the save_fields() function, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-36 (Absolute Path Traversal). Published on 2025-10-31, it allows attackers to target and remove files on the server without proper restrictions.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating file paths, they can delete arbitrary files, potentially leading to remote code execution—for instance, by removing critical configuration files like wp-config.php, which could disrupt site functionality or enable further compromise.

Mitigation details are available in related advisories, including Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c66d0fb4-e2df-4bdb-8ccb-18a96173a55d?source=cve and the plugin's CodeCanyon page at https://codecanyon.net/item/user-extra-fields/12949844. Security practitioners should review these for patch availability or workaround guidance specific to the plugin.