CVE-2025-14675
📋 TL;DR
The Meta Box WordPress plugin has an arbitrary file deletion vulnerability that allows authenticated attackers with Contributor-level access or higher to delete any file on the server. This can lead to remote code execution by deleting critical files like wp-config.php. All WordPress sites using Meta Box versions up to 5.11.1 are affected.
💻 Affected Systems
- Meta Box WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via remote code execution by deleting wp-config.php or other critical files, leading to data theft, defacement, or ransomware deployment.
Likely Case
Site disruption or data loss from deletion of important files, potentially causing downtime or content loss.
If Mitigated
Limited impact if proper access controls and file permissions are in place, though file deletion could still occur.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Public proof-of-concept code exists in GitHub pull requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.11.2
Vendor Advisory: https://github.com/wpmetabox/meta-box/pull/1654
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Meta Box plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.11.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict or remove Contributor-level access until patching is complete.
File Permission Hardening
linuxSet restrictive permissions on critical files like wp-config.php to prevent deletion.
chmod 400 wp-config.php
chown root:root wp-config.php
🧯 If You Can't Patch
- Disable the Meta Box plugin entirely until patching is possible
- Implement strict file integrity monitoring and alerting for critical file deletions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Meta Box version. If version is 5.11.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=meta-box --field=versionVerify Fix Applied:
After updating, verify Meta Box plugin version shows 5.11.2 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- WordPress audit logs showing file deletion by Contributor+ users
- Web server logs with POST requests to /wp-admin/admin-ajax.php with action=rwmb_delete_file
Network Indicators:
- HTTP POST requests to admin-ajax.php with file deletion parameters
SIEM Query:
source="wordpress" action="file_delete" user_role="contributor" OR user_role="author" OR user_role="editor" OR user_role="administrator"🔗 References
- https://github.com/wpmetabox/meta-box/pull/1654
- https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L30
- https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L54
- https://plugins.trac.wordpress.org/changeset/3475210/meta-box#file3
- https://www.wordfence.com/threat-intel/vulnerabilities/id/036467de-95bb-4bfd-9522-df8dc17f3102?source=cve
