CVE-2025-9048

Name of the Vulnerable Software and Affected Versions: Wptobe-memberships plugin for WordPress versions through 3.4.2

Description: The Wptobe-memberships plugin for WordPress is susceptible to arbitrary file deletion due to inadequate file path validation within the del img ajax call() function. Authenticated attackers possessing Subscriber-level access or higher can exploit this flaw to delete arbitrary files on the server. Deletion of critical files, such as wp-config.php, could lead to remote code execution.

Recommendations: Update the Wptobe-memberships plugin to a version later than 3.4.2.