Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal < 17.1 – Authenticated (Subscriber+) Arbitrary File Deletion | CVE 2025-6043 | Plugin Vulnerabilities

Description

The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.

Affects Plugins

wp-malware-removal

Fixed in 17.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d44fe4d7-1af5-4e26-a33c-43a9cce4174c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

a873a458-afb7-45ea-9c58-9e4f1b23893c

Timeline

Publicly Published

2025-07-15 (about 11 months ago)

Added

2025-07-15 (about 11 months ago)

Last Updated

2025-07-17 (about 11 months ago)

Other

Published

Title

Published

2025-12-31

Title

Worker for Elementor <= 1.0.10 - Missing Authorization

Published

2025-01-07

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.12 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2024-01-10

Title

POST SMTP Mailer < 2.8.8 - Authorization Bypass via type connect-app API

Published

2024-06-04

Title

Gutenberg Blocks and Page Layouts – Attire Blocks < 1.9.3 - Missing Authorization

Published

2024-08-26

Title

LWS Affiliation < 2.3.5 - Missing Authorization