CVE-2025-69377 HIGH

CVE-2025-69377: WordPress User Extra Fields plugin <= 17.0 - Arbitrary File Deletion vulnerability

Vendor Vanquish
Product User Extra Fields
Weakness CWE-22 · Path traversal
Published February 20, 2026
Last update April 28, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.

Explanation of Vulnerability in Simple Terms

02Summary

User Extra Fields versions 17.0 and earlier contain a path traversal vulnerability that allows authenticated users to cause a denial of service by disrupting site availability. An attacker with low-level account access can exploit this flaw without user interaction. The vulnerability affects the entire site scope, making it a significant availability risk for multi-user installations.

What an attacker can do

03Attacker Capabilities

Disrupt site availability through a path traversal attack that impacts the entire application.

Potential impact on your site

04Site Impact

Site availability can be disrupted by authenticated users with low-level accounts, affecting all users.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account; no user interaction required.

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated