BuddyPress RCE: Authenticated Users Can Delete Arbitrary Files

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-22
BuddyPress RCE: Authenticated Users Can Delete Arbitrary Files

The National Vulnerability Database has detailed CVE-2018-25308, a critical remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type version 2.6.3. This flaw allows an authenticated user to delete arbitrary files on the server. The vulnerability stems from the manipulation of unescaped POST parameters, specifically field_hiddenfile and field_deleteimg, during profile editing.

Attackers can exploit this by modifying these parameters, causing the application to unlink files from the server’s file system. Rated with a CVSS score of 8.8 (HIGH), this vulnerability presents a significant risk, enabling unauthorized file deletion, which can lead to denial of service, data loss, or pave the way for further compromise by removing critical security files or logs.

This isn’t just about deleting user-uploaded images; it’s about arbitrary file deletion. Defenders should understand that an attacker who gains even low-level authenticated access can leverage this to cripple a BuddyPress instance. The core issue is improper input sanitization, a classic vulnerability that continues to plague web applications. For CISOs, this highlights the ongoing need for rigorous code review and robust input validation, especially in plugins and extensions that handle file operations.

What This Means For You

  • If your organization uses BuddyPress Xprofile Custom Fields Type, specifically version 2.6.3, you are exposed. Immediately verify your BuddyPress version and apply any available patches or updates to mitigate CVE-2018-25308. Audit logs for suspicious file deletion activities, particularly those originating from authenticated user accounts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

BuddyPress Xprofile Custom Fields Arbitrary File Deletion - CVE-2018-25308

Sigma YAML — free preview 
title: BuddyPress Xprofile Custom Fields Arbitrary File Deletion - CVE-2018-25308
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
  Detects the specific exploit pattern for CVE-2018-25308 in BuddyPress, where authenticated users can delete arbitrary files by manipulating 'field_hiddenfile' and 'field_deleteimg' parameters during profile editing via POST requests to the WordPress admin area.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2018-25308/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri|contains:
          - '/wp-admin/admin.php'
      cs-uri-query|contains:
          - 'page=bp-profile-setup'
      uri|contains:
          - 'bp_profile_field_type_file_delete'
  selection_base:
      uri|contains:
          - 'field_hiddenfile'
      uri|contains:
          - 'field_deleteimg'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2018-25308 Vulnerability CVE-2018-25308

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 29, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow

CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-787
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 1 Sigma

CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection

CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...

vulnerabilityCVEhigh-severityremote-code-executioncwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking

CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...

vulnerabilityCVEcriticalhigh-severitycwe-290
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 2 Sigma