CVE-2025-7643 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the Attachment Manager plugin for WordPress developed by aaroncampbell. The flaw exists in the handle_actions() function, which fails to properly validate file paths before performing file deletion operations. This lack of validation enables unauthenticated attackers to craft malicious requests that traverse directories and delete arbitrary files on the web server hosting the WordPress site. Since all versions up to and including 2.1.2 are affected, the vulnerability is widespread among users of this plugin. The ability to delete critical files such as wp-config.php can disrupt site availability and potentially allow attackers to execute remote code by manipulating or removing configuration files essential for WordPress operation. The vulnerability is remotely exploitable over the network without any authentication or user interaction, making it highly dangerous. Although no known exploits have been reported in the wild yet, the high CVSS score of 9.1 reflects the severe impact and ease of exploitation. The vulnerability underscores the importance of strict input validation and secure file handling in web applications, especially plugins that interact with the filesystem. Organizations relying on this plugin should prioritize remediation to prevent unauthorized file deletion and potential server takeover.

The impact of CVE-2025-7643 is severe for organizations running WordPress sites with the vulnerable Attachment Manager plugin. Successful exploitation allows attackers to delete arbitrary files on the server, which can lead to denial of service by removing critical files or configuration data. More critically, deletion or tampering with files like wp-config.php can enable remote code execution, allowing attackers to gain full control over the web server and potentially the underlying infrastructure. This could lead to data breaches, website defacement, malware deployment, and lateral movement within the network. The vulnerability requires no authentication and no user interaction, increasing the risk of automated exploitation and widespread attacks. Organizations with public-facing WordPress sites are particularly vulnerable, and the compromise could damage reputation, cause financial loss, and disrupt business operations. The lack of a patch at the time of disclosure further elevates the risk, necessitating immediate mitigation.

1. Immediate mitigation should include disabling or removing the Attachment Manager plugin until a secure patched version is released. 2. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting path traversal or unauthorized file deletion actions targeting the plugin’s endpoints. 3. Restrict file system permissions for the web server user to limit the ability to delete or modify critical files such as wp-config.php and other configuration or system files. 4. Monitor server logs for unusual file deletion attempts or errors related to the plugin’s handle_actions() function. 5. If possible, isolate WordPress instances in containerized or sandboxed environments to limit the blast radius of a successful exploit. 6. Regularly back up WordPress site files and databases to enable quick restoration in case of file deletion or compromise. 7. Follow up with the plugin vendor or community for official patches and apply updates promptly once available. 8. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates.