WordPress Plugin Vulnerabilities

Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal < 16.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read

Description

The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 16.8 via the wpmr_inspect_file() function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
wp-malware-removal
Fixed in 16.9

References

CVE
CVE-2025-7772
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/18ce05fa-0b10-4796-9e78-03e653b862da

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Arkadiusz Hydzik
Verified
No
WPVDB ID
352c4ea0-b6cb-4b5a-9000-2b8a7e575ace

Timeline

Publicly Published
2025-06-12 (about 1 year ago)
Added
2025-07-17 (about 11 months ago)
Last Updated
2025-07-18 (about 11 months ago)

Other

Published
Title
Published
2026-03-17
Title
The League <= 4.4.1 - Missing Authorization
Published
2025-05-16
Title
Sharespine Woocommerce Connector < 4.8.56 - Missing Authorization
Published
2025-01-06
Title
RSVP and Event Management < 2.7.14 - Missing Authorization
Published
2023-10-12
Title
Nexter < 2.0.4 - Missing Authorization
Published
2025-05-07
Title
Ovation Elements < 1.1.3 - Missing Authorization