Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Invelity Product Feeds plugin for WordPress allows malicious file deletion
CVE-2025-14037
Summary
The Invelity Product Feeds plugin for WordPress is at risk of file deletion by hackers. If an administrator clicks on a malicious link, a hacker could delete any file on the server. To protect your site, update the plugin to a version newer than 1.2.6.
Original title
The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and saniti...
Original description
The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.
nvd CVSS3.1
8.1
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026