CVE-2025-69376 HIGH

CVE-2025-69376: WordPress User Extra Fields plugin <= 17.0 - Arbitrary File Deletion vulnerability

Vendor Vanquish
Product User Extra Fields
Weakness CWE-22 · Path traversal
Published February 20, 2026
Last update April 28, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.

Explanation of Vulnerability in Simple Terms

02Summary

User Extra Fields versions 17.0 and earlier contain a path traversal vulnerability that allows an attacker to cause a denial of service by disrupting site availability. The vulnerability requires no authentication or user interaction and can be exploited over the network. Sites running affected versions should update immediately to restore normal operation.

What an attacker can do

03Attacker Capabilities

Make the site unavailable or unresponsive by exploiting a path traversal flaw.

Potential impact on your site

04Site Impact

Your site may become unavailable or experience service disruption without warning.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated