CVE-2025-4946
📋 TL;DR
The Vikinger WordPress theme allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server due to insufficient path validation. This vulnerability can lead to remote code execution by deleting critical files like wp-config.php. Affects all Vikinger theme versions up to 1.9.32 when the Vikinger Media plugin is active.
💻 Affected Systems
- Vikinger WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via remote code execution by deleting wp-config.php or other critical files, leading to data loss, defacement, or server takeover.
Likely Case
Site disruption or data loss from deletion of important files, potentially causing downtime or content loss.
If Mitigated
Limited impact if proper file permissions and access controls prevent critical file deletion.
🎯 Exploit Status
Exploitation requires authenticated access (Subscriber role or higher). The vulnerability is publicly documented with proof-of-concept details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.33 or later
Vendor Advisory: https://themeforest.net/item/vikinger-buddypress-and-gamipress-social-community/28612259
Restart Required: No
Instructions:
1. Update Vikinger theme to version 1.9.33 or later via WordPress admin panel. 2. Verify the Vikinger Media plugin is also updated if applicable. 3. Clear any caching plugins or server caches.
🔧 Temporary Workarounds
Disable Vikinger Media Plugin
allTemporarily deactivate the Vikinger Media plugin to remove the vulnerable functionality.
wp plugin deactivate vikinger-media
Restrict User Registration
allDisable new user registration to prevent attackers from obtaining Subscriber accounts.
Set 'Anyone can register' to false in WordPress Settings > General
🧯 If You Can't Patch
- Implement strict file permissions (e.g., 644 for files, 755 for directories) to protect critical files like wp-config.php.
- Monitor and audit file deletion activities in server logs and WordPress activity logs.
🔍 How to Verify
Check if Vulnerable:
Check Vikinger theme version in WordPress admin under Appearance > Themes. If version is 1.9.32 or earlier and Vikinger Media plugin is active, the site is vulnerable.Check Version:
wp theme list --name=vikinger --field=versionVerify Fix Applied:
Confirm Vikinger theme version is 1.9.33 or later in WordPress admin. Test that the vikinger_delete_activity_media_ajax function no longer accepts arbitrary file paths.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in WordPress debug.log or server error logs
- POST requests to /wp-admin/admin-ajax.php with action=vikinger_delete_activity_media containing suspicious file paths
Network Indicators:
- HTTP POST requests to admin-ajax.php with file deletion parameters from unexpected IPs
SIEM Query:
source="*access.log*" AND "POST /wp-admin/admin-ajax.php" AND "action=vikinger_delete_activity_media" AND (".." OR "/etc/" OR "wp-config")