Description
WordPress Plugin Buddypress Xprofile Custom Fields Type is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to delete arbitrary files in the context of the webserver process. WordPress Plugin Buddypress Xprofile Custom Fields Type version 2.6.3 is vulnerable; prior versions may also be affected.
Remediation
Disable the plugin until a fix is available
References
https://www.exploit-db.com/exploits/44432/
https://www.youtube.com/watch?v=uIO_DvWCM3s
https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/#description
Related Vulnerabilities
WordPress Plugin Post Views Counter Cross-Site Scripting (1.3.4)
MySQL CVE-2018-2817 Vulnerability (CVE-2018-2817)
PostgreSQL Other Vulnerability (CVE-2002-1400)
WordPress Plugin Issuu Panel Local/Remote File Inclusion (1.6)
Ruby on Rails URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2021-22942)