CVE-2025-14037 is a vulnerability identified in the Invelity Product Feeds plugin for WordPress, affecting all versions up to and including 1.2.6. The root cause is a lack of proper input validation and sanitization in the 'createManageFeedPage' function, which processes user requests related to product feed management. This flaw allows an authenticated administrator to be targeted via a Cross-Site Request Forgery (CSRF) attack, where an attacker crafts a malicious URL containing path traversal sequences (e.g., '../') that, when visited by the admin, triggers arbitrary file deletion on the server. The vulnerability leverages CWE-352 (CSRF), meaning that the attacker must trick a logged-in admin into clicking a malicious link or visiting a crafted page. The CVSS v3.1 score of 8.1 indicates a high severity, with attack vector being network-based, low attack complexity, requiring high privileges (admin), and user interaction. The impact affects integrity and availability, as critical files can be deleted, potentially disrupting website functionality or causing data loss. No public exploits are currently known, but the vulnerability is published and should be considered a serious risk for sites using this plugin. The scope is limited to WordPress sites with the vulnerable plugin installed and administrators who can be socially engineered. The vulnerability does not affect confidentiality directly but can lead to significant operational damage.

The primary impact of CVE-2025-14037 is the potential for attackers to delete arbitrary files on the web server hosting the vulnerable WordPress plugin. This can lead to partial or complete loss of website functionality, data corruption, or downtime, affecting business operations and user trust. Since exploitation requires administrator privileges and user interaction, the risk is somewhat mitigated but remains significant due to the common use of WordPress and the prevalence of social engineering attacks. Organizations relying on the Invelity Product Feeds plugin for e-commerce or product management may face operational disruptions, loss of critical data, and increased recovery costs. Additionally, file deletion could be leveraged as part of a broader attack chain to facilitate further compromise or cover tracks. The vulnerability does not expose confidential data directly but compromises system integrity and availability, which are critical for maintaining secure and reliable web services.

To mitigate CVE-2025-14037, organizations should immediately update the Invelity Product Feeds plugin to a patched version once available. In the absence of an official patch, administrators should implement the following specific measures: 1) Restrict administrator access to trusted personnel only and enforce strong multi-factor authentication to reduce the risk of compromised credentials. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block requests containing suspicious path traversal sequences targeting the plugin's endpoints. 3) Educate administrators about the risks of CSRF and social engineering attacks, emphasizing caution when clicking links, especially from untrusted sources. 4) Implement nonce or token-based CSRF protections at the application level if possible, to validate legitimate requests. 5) Regularly back up website files and databases to enable rapid recovery in case of file deletion. 6) Monitor server logs for unusual file deletion activities or access patterns related to the plugin. These targeted mitigations go beyond generic advice by focusing on the specific attack vector and exploitation conditions of this vulnerability.