CVE-2025-6043

High

Published: 16 July 2025

Published

16 July 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0073 72.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6043 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to File Deletion (T1070.004) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the missing capability check in the wpmr_delete_file() function that allows arbitrary file deletion.

AC-6 Least Privilege good match

prevent

AC-6 implements least privilege to restrict Subscriber-level users from accessing file deletion functions, preventing low-privileged exploitation.

SI-2 Flaw Remediation good match

prevent

SI-2 requires identification, reporting, and correction of system flaws like the missing authorization in the plugin, preventing exploitation through patching.

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Missing authorization enables low-priv authenticated deletion of arbitrary server files, directly mapping to file deletion for impact or indicator removal and data destruction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes…

it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.

Deeper analysisAI

CVE-2025-6043 is an Arbitrary File Deletion vulnerability in the Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress, affecting all versions up to and including 17.0. The issue arises from a missing capability check in the wpmr_delete_file() function, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high-impact integrity and availability risks with low complexity and privileges required.

Authenticated attackers possessing Subscriber-level access or higher can exploit this vulnerability when advanced mode is enabled on the affected site. By invoking the wpmr_delete_file() function without proper authorization, they can delete arbitrary files on the server, which may enable remote code execution depending on the targeted files and site configuration.

Advisories reference vulnerable code locations in the plugin's WordPress Trac repository for version 16.8, specifically lines 4570, 6304, and 6401 in wpmr.php, along with a Wordfence threat intelligence report (ID: d44fe4d7-1af5-4e26-a33c-43a9cce4174c) providing further details on the issue.