CVE-2025-2004

Name of the Vulnerable Software and Affected Versions: Simple WP Events plugin for WordPress versions up to and including 1.8.17

Description: The issue arises from insufficient file path validation in the wpe delete file AJAX action, allowing unauthenticated attackers to delete arbitrary files on the server. This can lead to remote code execution if the right file, such as wp-config.php, is deleted.

Recommendations: For versions up to and including 1.8.17, update to a version higher than 1.8.17 to resolve the issue. As a temporary workaround, consider disabling the wpe delete file AJAX action until a patch is available. Restrict access to sensitive files, such as wp-config.php, to minimize the risk of exploitation.