PT-2026-35991 · Undefined · Undefined
Published
2026-04-29
·
Updated
2026-04-29
·
CVE-2018-25308
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field hiddenfile and field deleteimg parameters during profile editing to unlink files from the server.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Undefined