Security Alert Summary
The E-xact | Hosted Payment WordPress plugin through version 2.0 contains an arbitrary file deletion vulnerability caused by insufficient file path validation. According to the CVE entry, this weakness can allow unauthenticated attackers to delete files on the server.
CVE Details
- CVE ID: CVE-2025-14829
- Affected component: E-xact | Hosted Payment | WordPress plugin
- Affected versions: through 2.0
- Published: January 13, 2026, 6:15:49 AM UTC
- Last modified: January 13, 2026, 3:15:58 PM UTC
- CVSS v3.1: Base Score 9.1, Severity: CRITICAL
- CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- Authentication / Privileges / User Interaction: No authentication required. Privileges Required: NONE. User Interaction: NONE. (Values from CVSS data)
- Primary impact: Integrity: HIGH; Availability: HIGH; Confidentiality: NONE
- CWE / weakness ID: Not specified in the CVE entry
Technical Details
The vulnerability is an arbitrary file deletion issue resulting from insufficient validation of file paths in the plugin. The CVE description states that the plugin “through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation,” which makes it possible for unauthenticated attackers to delete arbitrary files on the server.
No specific functions, hooks, or REST API endpoints are named in the CVE entry. The root cause, as described, is a lack of proper path validation or sanitization when handling file operations, allowing input to influence file paths outside intended directories.
Impact: An attacker who can trigger the vulnerable code path can delete files the web server account has permission to remove. The CVSS data indicates the issue is exploitable remotely without authentication and can result in high integrity and availability impact (file deletion), while confidentiality impact is not indicated.
How This Could Impact Your Website
In a typical small- or medium-sized WordPress site setup, multiple users may interact with the site: the site owner, internal staff (editors, content contributors), and occasional external contractors or vendors. Because this vulnerability can be triggered without authentication, an external attacker could attempt to delete files the web server user can write to. Practical consequences include removal of theme or plugin files, deleted uploads (images, PDFs), or other writable files that could disrupt site functionality or content availability.
Consequences to consider:
- Broken pages or disabled functionality if deleted files are required for plugins or themes.
- Increased recovery time and the need to restore from backups if important files are removed.
- Potential for targeted follow-up attacks or social engineering if site operators must reach out to users after a disruption.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry lists affected versions through 2.0; a fixed version is not specified in the CVE entry.)
- Review and reduce unnecessary user roles, especially contributor accounts and any accounts with write access to plugin or theme directories.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins and themes to reduce attack surface.
- Monitor site activity and file system changes for unusual behavior, and ensure regular backups are in place and tested.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.