Home / Vulnerability Intelligence / CVE-2025-14037

CVE-2025-14037 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 23, 2026

Invelity Product Feeds - Path Traversal

Published: March 21, 2026Updated: March 23, 2026Remote Exploitable

Overview

Invelity Product Feeds plugin for WordPress <= 1.2.6 contains a path traversal vulnerability caused by missing validation in the 'createManageFeedPage' function, letting authenticated administrators delete arbitrary files via crafted requests, exploit requires user interaction.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 3.6%(Probability of exploitation in next 30 days)

Impact

Authenticated administrators can delete arbitrary files on the server, potentially leading to system compromise or data loss.

Mitigation

Update to the latest version beyond 1.2.6.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 21, 2026

🟠 CVE-2025-14037 - High (8.1) The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. Thi... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-14037/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2025-14037
Severity: High
CVSS Score: 8.1
Type: path_traversal
Status: unconfirmed
EPSS: 3.6%
Social Posts: 1

CWE

CWE-352

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:H

EPSS Score

3.6%Probability of exploitation in the next 30 days