{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/buddypress-xprofile-custom-fields-type/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2018-25308"}],"_cs_exploited":false,"_cs_products":["BuddyPress Xprofile Custom Fields Type"],"_cs_severities":["high"],"_cs_tags":["rce","file-deletion","wordpress"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBuddyPress Xprofile Custom Fields Type 2.6.3 is vulnerable to a remote code execution vulnerability, identified as CVE-2018-25308. This flaw enables authenticated users to execute arbitrary code on the server by deleting arbitrary files. The attack involves manipulating unescaped POST parameters, specifically \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e, during profile editing actions. Successful exploitation allows attackers to unlink files from the server, potentially disrupting services or gaining unauthorized access. This vulnerability was published on 2026-04-29 and poses a significant threat to BuddyPress installations that have not applied the necessary patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to a BuddyPress site running the vulnerable Xprofile Custom Fields Type 2.6.3 plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their profile editing page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the profile update endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameters are manipulated to point to arbitrary files on the server.\u003c/li\u003e\n\u003cli\u003eThe server-side script processes the crafted POST request without proper sanitization or validation of the file paths.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eunlink()\u003c/code\u003e function or an equivalent file deletion function is called with the attacker-controlled file paths.\u003c/li\u003e\n\u003cli\u003eThe targeted files are deleted from the server file system.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially delete critical system files or web application files, leading to remote code execution or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25308 allows authenticated attackers to delete arbitrary files on the server. This can lead to a denial-of-service condition if critical system files are removed. The vulnerability can also potentially lead to remote code execution if the attacker is able to delete and replace executable files or inject malicious code into configuration files. While the number of victims is unknown, all BuddyPress installations using the vulnerable plugin are susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for BuddyPress Xprofile Custom Fields Type to address CVE-2018-25308.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on the server-side to prevent manipulation of file paths in POST parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting the profile update endpoint with unusual \u003ccode\u003efield_hiddenfile\u003c/code\u003e and \u003ccode\u003efield_deleteimg\u003c/code\u003e parameter values (reference the attack chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect exploitation attempts based on the manipulation of specific POST parameters (reference the Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:26Z","date_published":"2026-04-29T20:16:26Z","id":"/briefs/2026-04-buddypress-rce/","summary":"CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.","title":"BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution via Arbitrary File Deletion","url":"https://feed.craftedsignal.io/briefs/2026-04-buddypress-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — BuddyPress Xprofile Custom Fields Type","version":"https://jsonfeed.org/version/1.1"}