CVE-2025-9048
📋 TL;DR
The Wptobe-memberships WordPress plugin contains an arbitrary file deletion vulnerability in the del_img_ajax_call() function. Authenticated attackers with Subscriber-level access or higher can delete any file on the server, potentially leading to remote code execution by deleting critical files like wp-config.php. All WordPress sites using this plugin up to version 3.4.2 are affected.
💻 Affected Systems
- Wptobe-memberships WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site compromise via remote code execution after deleting wp-config.php or other critical files, leading to data theft, defacement, or malware installation.
Likely Case
Site disruption or downtime from deletion of important files, potentially requiring full restoration from backups.
If Mitigated
Limited impact if proper file permissions and access controls prevent exploitation or if the plugin is disabled.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. The vulnerability is publicly documented with code examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.4.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Wptobe-memberships' and check for updates. 4. Update to version 3.4.3 or later. 5. If no update is available, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable vulnerable plugin
allDeactivate the Wptobe-memberships plugin to prevent exploitation
wp plugin deactivate wptobe-memberships
Restrict user roles
allTemporarily restrict Subscriber role creation and review existing Subscriber accounts
🧯 If You Can't Patch
- Deactivate and remove the Wptobe-memberships plugin immediately
- Implement strict file permissions (e.g., chmod 644 for wp-config.php) and monitor for unauthorized file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Wptobe-memberships version 3.4.2 or earlierCheck Version:
wp plugin get wptobe-memberships --field=versionVerify Fix Applied:
Verify plugin version is 3.4.3 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=del_img_ajax_call
- File deletion events in web server logs for unexpected files
- Failed file operations on wp-config.php or other critical files
Network Indicators:
- Unusual AJAX requests from authenticated users to plugin endpoints
- Increased 404 errors after successful file deletions
SIEM Query:
source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" AND parameters CONTAINS "action=del_img_ajax_call")