CVE-2025-14804 is a vulnerability identified in the Frontend File Manager Plugin for WordPress versions before 23.5. The flaw arises from the plugin's failure to properly validate the 'path' parameter and verify file ownership before allowing file deletion operations. This weakness falls under CWE-73 (External Control of File Name or Path), where an attacker can manipulate file paths to affect files outside the intended directory scope. The vulnerability permits any authenticated user, including those with minimal privileges such as subscribers, to delete arbitrary files on the web server hosting the WordPress site. Exploitation requires no user interaction and can be performed remotely over the network. The CVSS v3.1 score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N) indicates that while confidentiality and availability are not impacted, integrity is severely compromised due to unauthorized file deletions. The scope is changed (S:C) because the vulnerability affects resources beyond the scope of the initially vulnerable component. No public exploits have been reported yet, but the ease of exploitation and low privilege requirement make it a significant threat. The vulnerability could lead to defacement, disruption of website functionality, or deletion of critical files, potentially causing operational issues or reputational damage.

For European organizations, this vulnerability poses a significant risk to the integrity of their web infrastructure, especially those relying on WordPress with the Frontend File Manager plugin installed. Unauthorized file deletion can disrupt business operations, cause data loss, and require costly recovery efforts. E-commerce platforms, media companies, and public sector websites are particularly vulnerable due to their reliance on WordPress and the presence of multiple user roles, including subscribers. The lack of impact on confidentiality reduces the risk of data breaches but does not diminish the threat to operational continuity. Additionally, the vulnerability could be leveraged as part of a broader attack chain, such as deleting security or backup files to facilitate further compromise. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability's characteristics suggest it could be weaponized quickly once publicized.

1. Immediately update the Frontend File Manager plugin to version 23.5 or later, where the vulnerability is patched. 2. Restrict plugin access strictly to trusted users with elevated privileges; avoid granting subscriber-level users access to file management features. 3. Implement web application firewalls (WAF) with rules to detect and block suspicious file path manipulation attempts targeting the plugin endpoints. 4. Regularly audit user roles and permissions within WordPress to ensure minimal necessary privileges are assigned. 5. Monitor server logs for unusual file deletion activities or unauthorized access attempts related to the plugin. 6. Maintain regular backups of website files and databases to enable rapid recovery in case of file deletion or tampering. 7. Consider isolating file management functionality to separate environments or using alternative plugins with stronger security track records. 8. Educate site administrators about the risks of granting file management capabilities to low-privilege users.