High severity alert (CVSS 8.8): CVE-2025-14997 affects the WordPress plugin BuddyPress Xprofile Custom Field Types (slug: bp-xprofile-custom-field-types) in all versions up to and including 1.2.8. The issue allows an authenticated user (Subscriber and above) to delete arbitrary files on the server, which can cascade into full site compromise in certain scenarios.

Attack Vectors

This vulnerability can be exploited by a user who can log in to your WordPress site with a low-privilege account (Subscriber+)—a common role granted for community features, gated content, events, or campaigns.

Attackers may gain Subscriber credentials through password reuse, credential stuffing, phishing, or by registering if public sign-ups are enabled. Once authenticated, they can attempt to delete files that the web server process can access.

Security Weakness

According to the published advisory, BuddyPress Xprofile Custom Field Types is vulnerable to arbitrary file deletion due to insufficient file path validation in the plugin’s delete_field function (versions <= 1.2.8).

This weakness matters because file deletion isn’t limited to plugin-managed files; it can potentially target sensitive application files. The advisory notes that deleting the “right” file (for example, wp-config.php) can “easily lead to remote code execution,” turning a seemingly simple deletion bug into a path toward full takeover.

Source reference: Wordfence vulnerability record.

Technical or Business Impacts

Website outage and campaign disruption: Deleting key WordPress or plugin files can break the site immediately, taking landing pages, signup flows, and customer portals offline during active marketing and revenue periods.

Potential site takeover risk: If critical configuration or application files are deleted, the resulting failure state can create opportunities for deeper compromise, including the possibility of remote code execution as cited in the advisory. This elevates the incident from “availability issue” to a potential full breach scenario.

Data protection and compliance exposure: A compromised WordPress environment may enable unauthorized access to customer data, email lists, order details, or member profiles—creating notification obligations and reputational harm depending on your regulatory environment and contractual commitments.

Financial impact: Downtime, incident response costs, potential forensic work, legal/compliance review, and customer churn can materially exceed the cost of routine patching—especially for organizations relying on WordPress for lead generation and customer engagement.

Recommended remediation: Update BuddyPress Xprofile Custom Field Types to version 1.3.0 or newer (patched). If you cannot patch immediately, consider temporarily disabling the plugin and reviewing whether Subscriber registration is necessary until the update is completed.

Similar Attacks

While CVE-2025-14997 is specific to BuddyPress Xprofile Custom Field Types, WordPress sites are frequently impacted by plugin vulnerabilities that enable takeover, data theft, or widespread disruption:

CVE-2020-25213 (WordPress File Manager) — a widely discussed plugin vulnerability that was leveraged at scale to compromise sites, highlighting how quickly WordPress plugin flaws can be operationalized by attackers.

CVE-2018-7600 (Drupalgeddon2) — a major CMS vulnerability that demonstrates how content platforms can become high-value targets when a flaw enables escalation to remote code execution.

CVE-2023-34362 (MOVEit Transfer) — a high-profile example of how web application vulnerabilities can rapidly translate into business-level incidents, including data exposure and regulatory scrutiny.