Security Advisory

CVE-2018-25308

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-04-29 19:24:39

Last updated 2026-05-25 23:41:01

Assigner VulnCheck

State PUBLISHED

Description

BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server.

← Browse all CVEs View on cve.org ↗