Security Alert Summary
The Career Section plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability that can lead to path traversal and arbitrary file deletion in all versions up to and including 1.6. The issue is caused by missing nonce validation and insufficient file path validation on the delete action in the appform_options_page_html function. An unauthenticated attacker who can trick a site administrator into performing an action (for example, clicking a link) may be able to delete arbitrary files on the server.
CVE Details
- CVE ID: CVE-2025-14868
- Affected component: Career Section plugin for WordPress
- Affected versions: All versions up to and including 1.6
- Published: April 16, 2026 at 8:16:26 AM
- Last modified: April 16, 2026 at 8:16:26 AM
- CVSS v3.1: Base score 8.8, Severity: HIGH, Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - Authentication / Privileges / User interaction: No authentication required; Privileges required: None (PR:N); User interaction: Required (UI:R)
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- Weakness (CWE): CWE-22 (Path Traversal)
Technical Details
The vulnerability is a CSRF-related path traversal and file deletion issue in the plugin’s options page handling. The delete action in the appform_options_page_html function lacks nonce validation and does not sufficiently validate file paths before performing deletions. Because the action can be triggered via an HTTP request without proper nonce checks, an attacker can craft a forged request that, if executed by an authenticated administrator, results in deletion of files referenced by manipulated paths.
This behavior allows arbitrary file deletion rather than file retrieval. The risk arises from two failures: absence of server-side nonce or request verification to prevent CSRF, and inadequate sanitization/validation of the file path parameter, which permits path traversal sequences.
How This Could Impact Your Website
Consider a typical small business WordPress site with a site owner (administrator), internal staff who manage content, and an external contractor who occasionally updates pages. An attacker could send a crafted link or web request to the site owner or an administrator and rely on them clicking it. If the administrator performs the action, the attacker could cause deletion of files on the server. Practical consequences include loss of plugin or theme files, deletion of backups or configuration files, broken site functionality, and removal of logs or evidence of other activity.
Because confidentiality, integrity, and availability impacts are all rated high for this issue, attackers could use file deletions to disrupt services and potentially remove or alter files that contain sensitive information. This may increase the risk of targeted phishing or social engineering if internal contact lists or related resources are affected. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors and accounts with administrative capabilities.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected delete requests or changes to plugin and theme files.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
