CVE-2025-7846 is an absolute path traversal vulnerability classified under CWE-36 found in the WordPress User Extra Fields plugin, which is widely used to extend user profile capabilities in WordPress installations. The vulnerability exists in the save_fields() function, where insufficient validation of file paths allows authenticated users with Subscriber-level privileges or higher to specify arbitrary file paths for deletion. This flaw enables attackers to delete any file on the server that the web server process has permission to remove. Critical files such as wp-config.php, which contains database credentials and configuration settings, can be targeted, potentially leading to remote code execution or complete site takeover. The vulnerability affects all versions up to and including 16.7 of the plugin. The CVSS 3.1 score of 8.8 reflects the vulnerability's network attack vector, low attack complexity, required privileges at the low level, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or official fixes are currently linked, and no public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for WordPress sites using this plugin.

The impact of CVE-2025-7846 is substantial for organizations running WordPress sites with the User Extra Fields plugin installed. Exploitation allows attackers with minimal privileges (Subscriber-level) to delete arbitrary files, which can disrupt website functionality, cause data loss, and compromise server integrity. Deletion of critical files like wp-config.php can lead to remote code execution, enabling attackers to gain full control over the web server, access sensitive data, deploy malware, or pivot to internal networks. This can result in website defacement, data breaches, service outages, and reputational damage. Given WordPress's widespread use globally, this vulnerability poses a significant risk to small businesses, enterprises, and hosting providers relying on this plugin. The ease of exploitation combined with the high potential impact on confidentiality, integrity, and availability underscores the critical nature of this threat.

1. Immediate mitigation should include restricting or disabling the User Extra Fields plugin until a patch is available. 2. Implement strict file system permissions to limit the web server's ability to delete or modify critical files outside designated directories. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting path traversal or file deletion operations targeting the plugin's endpoints. 4. Monitor logs for unusual file deletion activities or access patterns from authenticated users with Subscriber-level privileges. 5. Enforce the principle of least privilege by reviewing and minimizing user roles and capabilities, especially limiting Subscriber-level users from unnecessary access. 6. Regularly back up website files and databases to enable quick recovery in case of file deletion or compromise. 7. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 8. Consider using security plugins that can detect and prevent unauthorized file system changes. 9. Conduct security audits and penetration testing focused on plugin vulnerabilities and file system access controls.