Meta Box Plugin for WordPress: Attackers Can Delete Server Files

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.2

Meta Box Plugin for WordPress: Attackers Can Delete Server Files

CVE-2025-14675 GHSA-m4q3-832v-44j6 GHSA-m4q3-832v-44j6

Summary

The Meta Box plugin for WordPress allows attackers with contributor access to delete any file on the server, potentially leading to critical security risks. This affects all versions of the plugin up to and including 5.11.1. Update to the latest version to fix this issue.

What to do

Update wpmetabox meta-box to version 5.11.2.
Update wpmetabox wpmetabox/meta-box to version 5.11.2.

Affected software

Vendor	Product	Affected versions	Fix available
wpmetabox	meta-box	<= 5.11.2	5.11.2
wpmetabox	wpmetabox/meta-box	<= 5.11.2	5.11.2

Original title

Meta Box Plugin for WordPress: Authenticated (Contributor+) Arbitrary File Deletion via ajax_delete_file

Original description

The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

nvd CVSS3.1 7.2

Vulnerability type

CWE-22 Path Traversal

Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026