Cyber Resilience

CVE-2025-6043

High

Published: 16 July 2025

Published
16 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0196 83.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6043 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique File Deletion (T1070.004); ranked in the top 16.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The Malcure Malware Scanner plugin for WordPress is affected by an arbitrary file deletion vulnerability (CVE-2025-6043) stemming from a missing capability check in the wpmr_delete_file() function. The flaw impacts all versions through 17.0 and is present in the plugin's core file-handling logic, as referenced in the WordPress plugin repository traces.

Authenticated attackers holding Subscriber-level privileges or higher can exploit the issue when advanced mode is enabled on the target site. Successful exploitation permits deletion of arbitrary files on the server, which in turn enables remote code execution by removing or overwriting critical components such as configuration or executable files.

The associated EPSS score remains flat at a low 0.0196 with no material increase after disclosure. Public references, including Wordfence threat intelligence and direct links to the vulnerable code paths, confirm the missing authorization check but do not detail specific patch timelines or mitigation steps beyond standard plugin update practices.

EU & UK References

Vulnerability details

The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes…

more

it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Missing authorization enables low-priv authenticated deletion of arbitrary server files, directly mapping to file deletion for impact or indicator removal and data destruction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-31182Shared CWE-862
CVE-2024-13767Shared CWE-862
CVE-2026-26103Shared CWE-862
CVE-2026-4365Shared CWE-862
CVE-2025-23512Shared CWE-862
CVE-2026-4094Shared CWE-862
CVE-2025-59022Shared CWE-862
CVE-2026-27181Shared CWE-862
CVE-2026-4119Shared CWE-862
CVE-2024-12104Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the missing capability check in the wpmr_delete_file() function that allows arbitrary file deletion.

prevent

AC-6 implements least privilege to restrict Subscriber-level users from accessing file deletion functions, preventing low-privileged exploitation.

prevent

SI-2 requires identification, reporting, and correction of system flaws like the missing authorization in the plugin, preventing exploitation through patching.

References