CVE-2025-9048
Published: 23 August 2025
Summary
CVE-2025-9048 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the insufficient file path validation in del_img_ajax_call() by requiring robust input validation at the AJAX endpoint to prevent arbitrary file deletions.
Requires timely identification, reporting, and patching of the flaw in the Wptobe-memberships plugin up to version 3.4.2 to eliminate arbitrary file deletion capability.
Enforces least privilege to restrict Subscriber-level users from accessing file deletion functions beyond their authorized scope, reducing the attack surface even if validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing WordPress plugin directly enables remote exploitation (T1190); arbitrary file deletion maps to T1070.004, with wp-config.php deletion facilitating further impact.
NVD Description
The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and…
more
above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Deeper analysisAI
CVE-2025-9048 is a vulnerability in the Wptobe-memberships plugin for WordPress, affecting all versions up to and including 3.4.2. It stems from insufficient file path validation in the del_img_ajax_call() function, enabling arbitrary file deletion on the server. Published on 2025-08-23, the issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is linked to CWE-73 (External Control of File Name or Path).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By targeting arbitrary files, they can achieve significant impact, including high integrity and availability disruption; for instance, deleting wp-config.php can facilitate remote code execution.
References point to the affected source code in the WordPress plugin repositories, including the SVN trunk at plugins.svn.wordpress.org/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php and Trac browser view at line 156 in plugins.trac.wordpress.org/browser/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php#L156, along with Wordfence threat intelligence at www.wordfence.com/threat-intel/vulnerabilities/id/466568c5-33a9-4891-b4ad-9bc6052603cb?source=cve.
Details
- CWE(s)