CVE-2025-6043
📋 TL;DR
This vulnerability in the Malcure Malware Scanner WordPress plugin allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files when advanced mode is enabled. This can lead to remote code execution by deleting critical system files. Only WordPress sites using this plugin with advanced mode enabled are affected.
💻 Affected Systems
- Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise through remote code execution leading to data theft, defacement, or ransomware deployment.
Likely Case
Site disruption through deletion of critical WordPress files causing downtime and potential data loss.
If Mitigated
Limited impact if proper access controls and file permissions are in place.
🎯 Exploit Status
Requires authenticated access (Subscriber role or higher) and advanced mode enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-malware-removal/
Restart Required: No
Instructions:
1. Update plugin to version 16.9 or later via WordPress admin panel. 2. Verify update completed successfully. 3. Test plugin functionality.
🔧 Temporary Workarounds
Disable Advanced Mode
allTurn off advanced mode in plugin settings to prevent exploitation.
Remove Plugin
allTemporarily disable or remove the plugin until patched.
🧯 If You Can't Patch
- Restrict user roles - limit Subscriber and higher privileged accounts
- Implement file integrity monitoring to detect unauthorized file deletions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version 16.8 or earlier and verify advanced mode is enabled.Check Version:
wp plugin list --name='Malcure Malware Scanner' --field=versionVerify Fix Applied:
Confirm plugin version is 16.9 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file deletion attempts in WordPress or web server logs
- Multiple failed authentication attempts followed by file operations
Network Indicators:
- Unusual POST requests to plugin endpoints with file deletion parameters
SIEM Query:
source="wordpress.log" AND "wpmr_delete_file" AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/wp-malware-removal/tags/16.8/wpmr.php#L4570
- https://plugins.trac.wordpress.org/browser/wp-malware-removal/tags/16.8/wpmr.php#L6304
- https://plugins.trac.wordpress.org/browser/wp-malware-removal/tags/16.8/wpmr.php#L6401
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d44fe4d7-1af5-4e26-a33c-43a9cce4174c?source=cve
