CVE-2025-14868

Name of the Vulnerable Software and Affected Versions Career Section plugin for WordPress versions prior to 1.7

Description The plugin is susceptible to Cross-Site Request Forgery (CSRF), a flaw where an attacker tricks a logged-in user into executing unwanted actions. This issue leads to Path Traversal and Arbitrary File Deletion due to missing nonce validation and insufficient file path validation within the appform options page html() function. Unauthenticated attackers can delete arbitrary files on the server by inducing a site administrator to click a forged link.

Recommendations Update the plugin to a version later than 1.6. As a temporary workaround, restrict access to the appform options page html() function to minimize the risk of exploitation.