WordPress Plugin Vulnerabilities

NinjaScanner < 3.2.6 - Admin+ Arbitrary File Deletion

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, including files outside the WordPress root directory.

Affects Plugins

Plugin icon
ninjascanner
Fixed in 3.2.6

References

CVE
CVE-2025-8213
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1da345-ddbb-48ad-b0c1-bb0cb3b0fc69

Classification

Type
FILE DELETION
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-73
CVSS
6.6 (medium)

Miscellaneous

Original Researcher
Jonas Benjamin Friedli
Verified
No
WPVDB ID
13b4b607-9726-40a3-90e9-18772c391287

Timeline

Publicly Published
2025-07-30 (about 9 months ago)
Added
2025-07-31 (about 9 months ago)
Last Updated
2025-07-31 (about 9 months ago)

Other

Published
Title
Published
2025-11-20
Title
WP AUDIO GALLERY <= 2.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'audio_upload' Parameter
Published
2021-11-10
Title
Error Log Viewer Plugin < 1.1.2 - Admin+ Arbitrary File Clearing
Published
2025-04-07
Title
Simple WP Events < 1.9.0 - Unauthenticated Arbitrary File Deletion
Published
2025-05-23
Title
eMagicOne Store Manager for WooCommerce < 1.3.0 - Unauthenticated Arbitrary File Deletion
Published
2025-05-16
Title
WPBot Pro Wordpress Chatbot < 13.7.0 - Authenticated (Subscriber+) Arbitrary File Deletion