CVE-2025-14829

CRITICAL 9.1

e-xact-hosted-payment <= 2.0 - Unauthenticated Arbitrary File Deletion

CVSS Score

9.1

EPSS Score

0.1%

EPSS Percentile

31th

The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Vendor	unknown
Product	e-xact \| hosted payment \|
Published	Jan 13, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for unknown e-xact | hosted payment |

Be the first to know when new critical vulnerabilities affecting unknown e-xact | hosted payment | are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / E-xact | Hosted Payment |

0 ≤ 2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/872569bc-16fb-427f-accc-147f284137cd/

Credits

Khaled Alenazi (Nxploited) WPScan