High severity8.1NVD Advisory· Published Jul 16, 2025· Updated Apr 15, 2026
CVE-2025-6043
CVE-2025-6043
Description
The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/wp-malware-removal/tags/16.8/wpmr.phpnvd
- plugins.trac.wordpress.org/browser/wp-malware-removal/tags/16.8/wpmr.phpnvd
- plugins.trac.wordpress.org/browser/wp-malware-removal/tags/16.8/wpmr.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/d44fe4d7-1af5-4e26-a33c-43a9cce4174cnvd
News mentions
0No linked articles in our index yet.