Description
WordPress Plugin Buddypress Xprofile Custom Fields Type is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to delete arbitrary files in the context of the webserver process. WordPress Plugin Buddypress Xprofile Custom Fields Type version 2.6.3 is vulnerable; prior versions may also be affected.
Remediation
Disable the plugin until a fix is available
References
https://www.exploit-db.com/exploits/44432/
https://www.youtube.com/watch?v=uIO_DvWCM3s
https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/#description
Related Vulnerabilities
Oracle JRE CVE-2013-2472 Vulnerability (CVE-2013-2472)
WordPress Plugin WP Photo Album Plus Cross-Site Scripting (5.4.17)
WordPress Plugin Classified Listing Store & Membership Cross-Site Scripting (1.4.19)
WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Request Forgery (1.5.2)