How to fix CVE-2025-6043?

Within 24 hours: Identify all WordPress installations running Malcure Malware Scanner ≤v17.0 and disable the plugin immediately; review access logs for unauthorized file deletions. Within 7 days: Audit subscriber-level user accounts and disable or delete unused accounts; implement file integrity monitoring on wp-config.php and core WordPress files; restore from clean backups if any suspicious deletions detected. Within 30 days: Replace Malcure with an alternative security plugin; evaluate switching to WordPress security solutions without advanced file deletion capabilities or establish formal change management for plugin updates.

Is WordPress affected by CVE-2025-6043?

CVE-2025-6043 affects Malcure Malware Scanner for WordPress versions 17.0 and earlier, allowing authenticated subscribers to delete critical system files including wp-config.php, potentially enabling remote code execution.

CVE-2025-6043

HIGH

2025-07-16 [email protected]

RCE WordPress Authentication Bypass

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 19:39 vuln.today

CVE Published

Jul 16, 2025 - 07:15 nvd

HIGH 8.1

DescriptionNVD

The Malcure Malware Scanner - #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.

AnalysisAI

Arbitrary file deletion in Malcure Malware Scanner for WordPress (versions ≤17.0) permits authenticated attackers with Subscriber-level privileges to delete critical system files via wpmr_delete_file() function lacking capability checks. Exploitation enables path traversal to wp-config.php or other core files, creating conditions for remote code execution through redeployment of malicious files. Vulnerability active only when plugin's advanced mode enabled. Affects authenticated low-privilege users (PR:L). No public exploit identified at time of analysis.

Technical ContextAI

CWE-862 missing authorization flaw in wpmr_delete_file() function (wpmr.php lines 4570, 6304, 6401) permits any authenticated user to bypass intended access controls. Function accepts user-controlled file paths without validating caller permissions or sanitizing directory traversal sequences, enabling deletion of files outside plugin scope when advanced mode configuration unlocks functionality.

Affected ProductsAI

Malcure Malware Scanner (WP Malware Removal), vendor Malcure Security, WordPress plugin versions up to and including 17.0. Vulnerable instances require advanced mode activation. CPE: cpe:2.3:a:malcure:malware_scanner:*:*:*:*:*:wordpress:*:* (versions ≤17.0).

RemediationAI

Vendor-released patch status: Upstream fix available (PR/commit); released patched version not independently confirmed. Based on Trac repository references showing vulnerable code in version 16.8, users should verify availability of version 17.1 or later from WordPress plugin repository. Immediate mitigation: Disable advanced mode in plugin settings to prevent exploitation surface. For critical environments, deactivate plugin entirely until patched release confirmed. Implement file integrity monitoring to detect unauthorized deletions. Restrict Subscriber-level account creation and audit existing low-privilege users. Review WordPress security advisory: https://www.wordfence.com/threat-intel/vulnerabilities/id/d44fe4d7-1af5-4e26-a33c-43a9cce4174c?source=cve for vendor updates and technical indicators of compromise.

CVE-2025-6043 vulnerability details – vuln.today

Back