CVE-2025-14675 is a path traversal vulnerability classified under CWE-22 found in the Meta Box plugin for WordPress, a popular tool used to create custom meta boxes and fields. The vulnerability exists in the ajax_delete_file function, which fails to properly validate and restrict file paths before deleting files. This flaw allows authenticated users with Contributor-level privileges or higher to craft requests that traverse directories and delete arbitrary files on the web server. Since WordPress sites often store critical configuration files such as wp-config.php on the same server, deleting these files can disrupt site functionality or enable attackers to upload malicious code, leading to remote code execution. The vulnerability affects all versions up to and including 5.11.1 of the Meta Box plugin. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation by authenticated users make it a significant threat. The vulnerability was reserved in December 2025 and published in March 2026. The lack of official patches at the time of reporting increases the urgency for mitigation.

The impact of this vulnerability is substantial for organizations running WordPress sites with the Meta Box plugin installed. An attacker with Contributor-level access can delete arbitrary files, potentially removing critical configuration files, plugin files, or other important data. This can lead to site downtime, data loss, and compromise of the entire web server environment. The deletion of wp-config.php or similar files can allow attackers to execute arbitrary code remotely, escalate privileges, or pivot within the network. This threatens confidentiality by exposing sensitive data, integrity by allowing unauthorized file deletions, and availability by causing service disruptions. Given WordPress's widespread use globally, the vulnerability poses a risk to websites ranging from small blogs to large enterprise portals. The requirement for authenticated access limits exploitation to insiders or attackers who have compromised user credentials, but the Contributor role is commonly assigned, increasing the attack surface. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the potential severity once exploit code becomes available.

Organizations should immediately audit their WordPress installations to identify the presence of the Meta Box plugin and verify the version in use. Until an official patch is released, administrators should consider temporarily disabling or removing the Meta Box plugin to eliminate the attack vector. Restrict Contributor-level user permissions where possible, limiting the number of users with such access and enforcing strong authentication mechanisms such as multi-factor authentication. Implement web application firewalls (WAFs) with rules to detect and block suspicious path traversal patterns targeting ajax_delete_file endpoints. Monitor server logs for unusual file deletion requests or errors related to critical files. Regularly back up WordPress files and databases to enable rapid recovery in case of file deletion or compromise. Once a patch is available, apply it promptly. Additionally, consider isolating WordPress instances in hardened environments with least privilege file system permissions to reduce the impact of arbitrary file deletions.