CVE-2025-4799 is a high-severity vulnerability affecting the WP-DownloadManager plugin for WordPress, developed by gamerz. The vulnerability is classified as CWE-36, an Absolute Path Traversal flaw, which allows an authenticated attacker with Administrator-level privileges or higher to delete arbitrary files on the server. This occurs due to insufficient restrictions on the directories from which files can be deleted, present in all versions up to and including 1.68.10 of the plugin. By exploiting this vulnerability, an attacker can delete critical files such as wp-config.php, which contains database credentials and configuration settings. The deletion of such files can lead to remote code execution (RCE) by destabilizing the WordPress environment or enabling further exploitation. Additionally, this vulnerability can be combined with CVE-2025-4798 to delete any file within the WordPress root directory, significantly expanding the attack surface. The CVSS v3.1 base score of 7.2 reflects the network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability's nature and impact make it a critical concern for WordPress sites using this plugin. The lack of available patches at the time of publication necessitates immediate attention to mitigate potential risks.

For European organizations, the impact of CVE-2025-4799 can be substantial, especially for those relying on WordPress sites with the WP-DownloadManager plugin installed. The ability for an attacker with admin privileges to delete arbitrary files threatens the confidentiality, integrity, and availability of web assets. Deletion of configuration files like wp-config.php can lead to site downtime, data breaches, and potential full system compromise through remote code execution. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR if personal data is exposed or lost. Organizations in sectors such as e-commerce, government, healthcare, and media, which often use WordPress for content management, are particularly at risk. The vulnerability also poses a risk to managed service providers hosting multiple WordPress instances, potentially enabling widespread compromise. Given the high privileges required, the threat is more severe in environments where administrator accounts are shared, weakly protected, or compromised through other means.

To mitigate this vulnerability, European organizations should: 1) Immediately audit all WordPress installations to identify the presence of the WP-DownloadManager plugin and verify its version. 2) Restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3) Implement file system permissions that limit the WordPress process's ability to delete critical files outside designated directories, using operating system-level controls such as chroot jails or containerization where feasible. 4) Monitor logs for unusual file deletion activities and set up alerts for deletion of critical files like wp-config.php. 5) Until an official patch is released, consider disabling or removing the WP-DownloadManager plugin if it is not essential. 6) Regularly back up WordPress files and databases with secure, offline copies to enable rapid recovery in case of file deletion or compromise. 7) Stay updated with vendor advisories and apply patches promptly once available. 8) Conduct penetration testing and vulnerability assessments focusing on WordPress plugins to identify similar risks proactively.