Home / Vulnerability Intelligence / CVE-2018-25308

CVE-2018-25308 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 29, 2026

BuddyPress Xprofile Custom Fields Type - Remote Code Execution

Published: April 29, 2026Updated: April 29, 2026Remote Exploitable

Overview

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution caused by unescaped POST parameters in profile editing, letting authenticated users delete arbitrary files by manipulating field_hiddenfile and field_deleteimg parameters.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users can delete arbitrary files on the server, potentially leading to denial of service or further exploitation.

Mitigation

Update to the latest version of BuddyPress Xprofile Custom Fields Type.

References

http://lenonleite.com.br/
https://www.exploit-db.com/exploits/44432
https://www.vulncheck.com/advisories/buddypress-xprofile-custom-fields-type-remote-code-execution

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2018-25308
Severity: High
CVSS Score: 8.8
Type: remote_code_execution
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H