The vulnerability identified as CVE-2025-7712 affects the Madara - Core plugin for WordPress, developed by MangaBooth. This plugin suffers from a path traversal flaw (CWE-22) in the wp_manga_delete_zip() function, which fails to properly validate and restrict file paths when deleting zip files. As a result, an unauthenticated attacker can craft requests that traverse directories and delete arbitrary files on the web server. Since the vulnerability requires no authentication or user interaction, it is highly accessible to remote attackers. The deletion of critical files such as wp-config.php can disrupt the WordPress site’s configuration, potentially allowing attackers to execute arbitrary code or cause denial of service. The CVSS v3.1 score of 9.1 reflects the vulnerability’s critical nature, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no exploits have been observed in the wild yet, the plugin’s widespread use in WordPress ecosystems makes this a significant threat. The absence of official patches at the time of disclosure increases the urgency for mitigations. This vulnerability highlights the risks of insufficient input validation in file operations within web applications, especially in popular CMS plugins.

The impact of CVE-2025-7712 is severe for organizations running WordPress sites with the Madara - Core plugin. Successful exploitation allows attackers to delete arbitrary files on the server, which can lead to site downtime, data loss, and compromise of site integrity. Deletion of configuration files like wp-config.php can enable attackers to gain remote code execution capabilities, escalating the attack to full server compromise. This can result in data breaches, defacement, malware deployment, or use of the server in botnets. The vulnerability’s unauthenticated nature means attackers can exploit it without credentials, increasing the risk of widespread attacks. Organizations relying on this plugin for content delivery or e-commerce may face significant operational disruption and reputational damage. Additionally, recovery may require restoring from backups and extensive forensic analysis, increasing remediation costs and downtime.

Immediate mitigation steps include disabling or removing the Madara - Core plugin until a security patch is released. If disabling is not feasible, restrict access to the vulnerable wp_manga_delete_zip() function by implementing web application firewall (WAF) rules that block suspicious requests containing path traversal patterns such as '../'. Employ strict input validation and sanitization at the web server or application firewall level to prevent directory traversal attempts. Regularly back up WordPress site files and databases to enable rapid recovery if files are deleted. Monitor server logs for unusual file deletion requests or errors related to the plugin. Limit file system permissions for the web server user to the minimum necessary, preventing deletion of critical files outside the plugin’s directory. Once a patch is available, apply it promptly and verify the fix. Additionally, consider isolating WordPress instances in containerized or sandboxed environments to limit the blast radius of potential exploits.