CVE-2025-6043

Name of the Vulnerable Software and Affected Versions Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress versions through 16.8

Description The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr delete file() function. This allows authenticated attackers with Subscriber-level access or above to delete arbitrary files, potentially leading to remote code execution. This is only exploitable when advanced mode is enabled on the site.

Recommendations Versions prior to 16.9: Ensure a capability check is implemented within the wpmr delete file() function to restrict file deletion access to authorized users only. Versions prior to 16.9: Disable advanced mode on the site to prevent exploitation of the vulnerability.