CVE-2025-7846

Name of the Vulnerable Software and Affected Versions WordPress User Extra Fields versions up to and including 16.7

Description The WordPress User Extra Fields plugin is susceptible to arbitrary file deletion. This is due to inadequate file path validation within the save fields() function. Authenticated attackers with Subscriber-level access or higher can exploit this to delete arbitrary files on the server. Deletion of critical files, such as wp-config.php, could lead to remote code execution.

Recommendations Versions up to and including 16.7 should be updated to a newer, fixed version when available. As a temporary workaround, consider restricting access to the save fields() function until a patch is available.