How to fix CVE-2025-14868?

Within 24 hours: Inventory all WordPress installations using Career Section plugin and identify current versions via admin dashboard or wp-cli. Within 7 days: Disable or remove Career Section plugin versions ≤1.6 from production environments; contact plugin developer for patch timeline. Within 30 days: Once vendor releases a patched version, update Career Section plugin to the latest available release and re-enable with full testing in staging environment first.

Is WordPress affected by CVE-2025-14868?

Career Section WordPress plugin versions 1.6 and earlier contain a CSRF vulnerability that allows attackers to trick administrators into deleting arbitrary server files through malicious links, potentially compromising site integrity and availability.

CVE-2025-14868

EUVD-2025-209493 HIGH

2026-04-16 Wordfence

GHSA-j38x-p248-237v

Path Traversal WordPress CSRF

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 08:35 vuln.today

cvss_changed

Analysis Generated

Apr 16, 2026 - 08:24 vuln.today

DescriptionNVD

The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the 'appform_options_page_html' function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery (CSRF) in Career Section WordPress plugin versions ≤1.6 enables unauthenticated attackers to delete arbitrary server files through social engineering. Attackers trick authenticated WordPress administrators into clicking malicious links that exploit missing nonce validation in the delete action handler, leading to path traversal and unrestricted file deletion. CVSS 8.8 (High) with network attack vector but requires user interaction (UI:R). EPSS and KEV data not provided; public exploit code status unknown. Wordfence advisory and upstream patch commit available.

CVE-2025-14868 vulnerability details – vuln.today

Back

CVE-2025-14868

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Share

External POC / Exploit Code