Description
WordPress Plugin Buddypress Xprofile Custom Fields Type is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to delete arbitrary files in the context of the webserver process. WordPress Plugin Buddypress Xprofile Custom Fields Type version 2.6.3 is vulnerable; prior versions may also be affected.
Remediation
Disable the plugin until a fix is available
References
https://www.exploit-db.com/exploits/44432/
https://www.youtube.com/watch?v=uIO_DvWCM3s
https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/#description
Related Vulnerabilities
Joomla! Core 1.0.x Security Bypass (1.0.0 - 1.0.10)
WordPress Plugin WordPress Bitcoin Payments-Blockonomics Cross-Site Scripting (3.2)
WordPress Plugin Admin Pack by SITE CASEIRO Cross-Site Scripting (1.1)
MediaWiki CVE-2023-29137 Vulnerability (CVE-2023-29137)
WordPress Plugin Custom Fields Search by BestWebSoft Cross-Site Scripting (1.3.1)