CVE-2025-7643 is a critical vulnerability identified in the Attachment Manager plugin for WordPress, developed by aaroncampbell. The vulnerability is classified as CWE-22, which corresponds to an improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability. This flaw exists in the handle_actions() function of the plugin in all versions up to and including 2.1.2. Due to insufficient validation of file paths, unauthenticated attackers can exploit this vulnerability to delete arbitrary files on the server hosting the WordPress site. The attack vector requires no authentication or user interaction, making it highly accessible to remote attackers. The impact of arbitrary file deletion is severe; critical files such as wp-config.php can be removed, potentially leading to remote code execution (RCE) by allowing attackers to manipulate the WordPress environment or upload malicious code. The CVSS v3.1 base score of 9.1 reflects the high severity, with metrics indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and high availability impact (A:H). Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a prime target for exploitation once disclosed. The lack of available patches at the time of publication further increases the risk to affected installations. Given the widespread use of WordPress and its plugins, this vulnerability poses a significant threat to websites relying on the Attachment Manager plugin, especially those that have not updated or mitigated the issue.

For European organizations, this vulnerability presents a substantial risk to the integrity and availability of their web assets. Many European businesses, government agencies, and NGOs rely on WordPress for their online presence, including e-commerce, communications, and information dissemination. Exploitation could lead to deletion of critical configuration files, resulting in website downtime, loss of data integrity, and potential unauthorized control over the affected systems. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance, especially under GDPR where data availability and integrity are critical. The unauthenticated nature of the exploit means attackers can operate remotely without prior access, increasing the threat surface. Additionally, the potential for remote code execution following file deletion could allow attackers to establish persistent backdoors, escalate privileges, or pivot within the network, further compromising organizational security. The impact extends beyond individual websites to interconnected systems and services, amplifying the risk for organizations with complex IT infrastructures.

European organizations should immediately audit their WordPress installations to identify the presence of the Attachment Manager plugin and verify the version in use. Until an official patch is released, organizations should consider the following specific mitigations: 1) Temporarily disable or remove the Attachment Manager plugin to eliminate the attack vector. 2) Implement web application firewall (WAF) rules to detect and block suspicious requests attempting path traversal patterns targeting the plugin’s endpoints. 3) Restrict file system permissions for the web server user to limit the ability to delete critical files such as wp-config.php, ensuring principle of least privilege is enforced. 4) Monitor server logs for unusual file deletion attempts or access patterns indicative of exploitation attempts. 5) Employ intrusion detection systems (IDS) tuned to detect path traversal and file deletion activities. 6) Prepare incident response plans to quickly restore affected files from backups and investigate potential compromises. 7) Once patches become available, prioritize immediate testing and deployment. These steps go beyond generic advice by focusing on proactive plugin management, targeted network defenses, and operational readiness to mitigate the specific risks posed by this vulnerability.