CVE-2025-4946 is a path traversal vulnerability classified under CWE-22 found in the Vikinger WordPress theme developed by Odin_Design. This vulnerability arises from improper validation of file paths in the vikinger_delete_activity_media_ajax() function, which handles AJAX requests to delete media files associated with user activities. Because the function does not adequately restrict or sanitize the file paths, authenticated users with minimal privileges (Subscriber-level or above) can manipulate the file path parameter to delete arbitrary files anywhere on the server filesystem. The attack surface is expanded by the requirement that the Vikinger Media plugin must be installed and active, as this plugin integrates with the vulnerable function. The ability to delete arbitrary files can be leveraged to remove critical WordPress configuration files such as wp-config.php, potentially leading to remote code execution or denial of service. The vulnerability is remotely exploitable over the network without user interaction and has a low attack complexity, making it a significant threat. Although no public exploits have been observed, the vulnerability’s characteristics and the widespread use of WordPress themes make it a high-risk issue. The vulnerability affects all versions of Vikinger up to and including 1.9.32, and no official patches have been linked yet. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) reflects that the attack requires low privileges but can cause high impact on integrity and availability without affecting confidentiality.

The vulnerability allows attackers with minimal authenticated access to delete arbitrary files on the web server hosting the WordPress site. This can lead to severe consequences including deletion of critical configuration files (e.g., wp-config.php), which can disrupt the website’s operation or enable remote code execution by manipulating or replacing files. The integrity of the website and its data is at high risk, and availability can be significantly impacted if essential files are removed. Since WordPress powers a large portion of the web, and the Vikinger theme is used by various organizations, the potential for widespread disruption exists. Attackers could leverage this flaw to compromise websites, deface content, or pivot to deeper network intrusion. The requirement for only Subscriber-level privileges lowers the barrier for exploitation, increasing the threat to organizations that allow user registrations or have multiple user roles. The lack of user interaction and the network-based attack vector further increase the risk of automated exploitation attempts once public exploits emerge.

Organizations should immediately audit their WordPress installations to identify if the Vikinger theme and Vikinger Media plugin are installed and active. Until an official patch is released, administrators should consider disabling or uninstalling the Vikinger Media plugin to mitigate the attack vector. Restricting user roles and permissions to minimize Subscriber-level access or implementing stricter user registration controls can reduce exposure. Web application firewalls (WAFs) should be configured to detect and block suspicious AJAX requests attempting to delete files, particularly those with path traversal patterns (e.g., '../'). Monitoring server logs for unusual file deletion requests or errors related to critical files can provide early detection. Additionally, implementing file integrity monitoring on key configuration and system files can alert administrators to unauthorized changes or deletions. Once a patch is available, prompt application of updates is critical. Employing least privilege principles for file system permissions can also limit the damage caused by arbitrary file deletions.