CVE-2025-6043 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Malcure Malware Scanner plugin for WordPress, a popular toolset for malware removal. The vulnerability arises from the lack of a capability check in the wpmr_delete_file() function, which is responsible for deleting files. This missing authorization allows any authenticated user with at least Subscriber-level privileges to invoke this function and delete arbitrary files on the server. The deletion of arbitrary files can be leveraged to remove critical WordPress or server files, potentially enabling remote code execution (RCE) by attackers. The vulnerability is present in all plugin versions up to and including 16.8 and requires that the WordPress site has advanced mode enabled, which likely exposes additional functionality or endpoints. The CVSS v3.1 base score is 8.1, reflecting a high severity due to the ease of exploitation (low attack complexity), the requirement of only low privileges (PR:L), no user interaction, and the significant impact on integrity and availability. The vulnerability is network exploitable and does not affect confidentiality directly but can lead to severe consequences through integrity and availability compromise. No patches have been officially released at the time of publication, and no known exploits have been reported in the wild. The vulnerability was reserved and published by Wordfence in mid-2025.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to delete arbitrary files on the server, which can lead to remote code execution, site defacement, data loss, or complete site downtime. For organizations relying on WordPress with the Malcure plugin, this can result in significant operational disruption, reputational damage, and potential data breaches if attackers leverage the file deletion to implant backdoors or remove security-critical files. Since WordPress powers a large portion of websites globally, especially small to medium businesses and content-driven sites, the impact is widespread. The requirement for advanced mode to be enabled limits the attack surface somewhat but does not eliminate risk, especially in environments where advanced mode is enabled for enhanced scanning or management features. The vulnerability undermines the integrity and availability of affected sites, potentially allowing attackers to escalate privileges or pivot to further attacks within the hosting environment.

1. Immediately disable advanced mode in the Malcure plugin settings until a security patch is released. 2. Restrict user roles and permissions to the minimum necessary, avoiding granting Subscriber or higher privileges to untrusted users. 3. Monitor file system integrity and logs for suspicious file deletion activities, especially related to plugin directories and core WordPress files. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the wpmr_delete_file() function or related endpoints. 5. Regularly back up WordPress sites and databases to enable quick recovery in case of file deletion or compromise. 6. Stay updated with vendor advisories and apply patches promptly once available. 7. Consider isolating WordPress instances in containerized or sandboxed environments to limit the impact of potential exploitation. 8. Conduct periodic security audits focusing on plugin permissions and capabilities to detect similar authorization issues.