CVE-2025-14868 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 16, 2026
Career Section WordPress plugin - Cross-Site Request Forgery
Published: April 16, 2026Updated: April 16, 2026Remote Exploitable
Overview
Career Section WordPress plugin <= 1.6 contains a cross-site request forgery caused by missing nonce and insufficient file path validation in delete action, letting unauthenticated attackers delete arbitrary files via forged requests, exploit requires admin user interaction.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Unauthenticated attackers can delete arbitrary files on the server, potentially causing data loss or service disruption.
Mitigation
Update to the latest version with nonce validation and proper file path checks.
References
Related Resources
Details
- CVE ID
- CVE-2025-14868
- Severity
- High
- CVSS Score
- 8.8
- Type
- cross_site_request_forgery
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H