CVE-2025-14997 is a path traversal vulnerability classified under CWE-22, affecting the BuddyPress Xprofile Custom Field Types plugin for WordPress, specifically versions up to and including 1.2.8. The vulnerability arises from insufficient validation of file paths in the 'delete_field' function, which allows authenticated users with Subscriber-level privileges or higher to delete arbitrary files on the web server. This is possible because the plugin does not properly restrict the pathname input, enabling attackers to traverse directories and target sensitive files outside the intended directory scope. The deletion of critical files such as wp-config.php can lead to remote code execution, as attackers may disrupt site configuration or inject malicious code. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication, making it a serious threat to WordPress sites using this plugin. The CVSS v3.1 score is 7.2 (high), reflecting the ease of exploitation (low attack complexity), the need for privileges (high), and the significant impact on confidentiality, integrity, and availability. No official patches or fixes have been linked yet, and no known exploits are reported in the wild as of the publication date. However, the vulnerability's nature suggests that exploitation could be automated once a proof of concept is developed. Organizations relying on this plugin should urgently assess their exposure and implement mitigations or updates once available.

For European organizations, this vulnerability poses a substantial risk to the confidentiality, integrity, and availability of WordPress-based web assets. Exploitation could lead to deletion of critical configuration files, resulting in website downtime, data breaches, or full server compromise through remote code execution. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance, especially under GDPR where data protection is paramount. Organizations running customer-facing websites, e-commerce platforms, or internal portals using BuddyPress plugins are particularly vulnerable. The attack requires only authenticated access at Subscriber level, which is commonly granted to registered users, increasing the attack surface. The potential for lateral movement and privilege escalation after initial exploitation further amplifies the threat. Given the widespread use of WordPress in Europe, especially in countries with large digital economies, the impact could be significant if not addressed promptly.

Immediate mitigation steps include restricting user roles and permissions to minimize the number of accounts with Subscriber-level or higher access. Implement strict monitoring and logging of file deletion activities within WordPress environments. Employ Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the 'delete_field' function. Until an official patch is released, consider disabling or removing the BuddyPress Xprofile Custom Field Types plugin if it is not essential. For sites where the plugin is critical, isolate the WordPress instance using containerization or sandboxing to limit potential damage. Regularly back up website files and databases to enable rapid recovery in case of file deletion. Conduct thorough audits of user accounts to remove inactive or unnecessary users. Finally, stay updated with vendor advisories and apply patches immediately upon release.