CVE-2025-4799 is an absolute path traversal vulnerability (CWE-36) found in the WP-DownloadManager plugin for WordPress, affecting all versions up to 1.68.10. The vulnerability arises because the plugin does not properly restrict the directories from which files can be deleted. Authenticated users with administrator-level privileges can exploit this flaw to delete arbitrary files on the server filesystem. This capability can be leveraged to remove critical WordPress files such as wp-config.php, which contains database credentials and other sensitive configuration data. Deleting such files can lead to remote code execution (RCE) by destabilizing the WordPress environment or enabling attackers to upload malicious files or modify existing ones. The vulnerability can be chained with CVE-2025-4798, which presumably allows further file manipulation within the WordPress root directory, thereby expanding the attacker's control. The CVSS v3.1 score of 7.2 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and requiring high privileges but no user interaction. No patches or fixes are currently linked, indicating the need for immediate attention from site administrators. The vulnerability was reserved and published in mid-2025, with Wordfence as the assigner, and no known exploits have been reported in the wild yet.

The impact of CVE-2025-4799 is significant for organizations running WordPress sites with the WP-DownloadManager plugin installed. Successful exploitation allows attackers with administrator access to delete any file on the server, including critical configuration files like wp-config.php. This can lead to complete site compromise through remote code execution, data loss, and service disruption. The ability to delete arbitrary files threatens the confidentiality and integrity of the website and its data, as well as availability if essential files are removed. Organizations relying on WordPress for business operations, e-commerce, or content delivery face risks of downtime, data breaches, and reputational damage. Since the vulnerability requires administrator privileges, the risk is heightened if credentials are compromised or if insider threats exist. Combining this vulnerability with CVE-2025-4798 further amplifies the attacker's capabilities, potentially allowing full control over the WordPress root directory. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity score underscores the urgency of addressing this issue.

1. Immediately restrict administrator access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator activities closely to detect any unauthorized file deletion attempts. 3. Temporarily disable or remove the WP-DownloadManager plugin until a security patch or update is released by the vendor. 4. If disabling the plugin is not feasible, implement web application firewall (WAF) rules to detect and block suspicious requests targeting file deletion endpoints within the plugin. 5. Regularly back up the entire WordPress site, including the wp-config.php file and other critical files, to enable rapid recovery in case of deletion or tampering. 6. Keep WordPress core, themes, and all plugins updated to their latest versions to minimize exposure to known vulnerabilities. 7. Review and harden file system permissions on the server to limit the ability of the web server process to delete or modify sensitive files outside designated directories. 8. Stay informed about vendor advisories and apply patches as soon as they become available. 9. Conduct penetration testing and vulnerability assessments focusing on plugin security to identify similar issues proactively.