CVE-2025-7712 is a critical security vulnerability identified in the Madara - Core plugin for WordPress, developed by MangaBooth. This vulnerability is classified as CWE-22, which corresponds to an improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. The issue arises in the wp_manga_delete_zip() function, which fails to properly validate file paths before performing file deletion operations. This lack of validation allows unauthenticated attackers to specify arbitrary file paths, enabling them to delete any file on the server where the plugin is installed. The impact of this vulnerability is severe because deleting critical files such as wp-config.php can lead to remote code execution (RCE). This occurs when the attacker removes or manipulates configuration files, potentially allowing them to upload malicious code or gain elevated privileges on the server. The vulnerability affects all versions of the Madara - Core plugin up to and including version 2.2.3. The CVSS v3.1 base score is 9.1, indicating a critical severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) highlights that the attack can be performed remotely over the network without any authentication or user interaction, with a low attack complexity. The vulnerability impacts the integrity and availability of the affected systems, as attackers can delete arbitrary files and disrupt service. Although no known exploits are currently reported in the wild, the ease of exploitation and the potential for severe impact make this vulnerability a high priority for remediation. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for affected organizations to apply mitigations or monitor for updates from the vendor.

For European organizations using WordPress sites with the Madara - Core plugin, this vulnerability poses a significant risk. The ability for unauthenticated attackers to delete arbitrary files can lead to website defacement, data loss, and service outages. More critically, deletion of configuration files like wp-config.php can enable attackers to execute arbitrary code remotely, potentially compromising the entire web server and any connected systems. This can result in data breaches, loss of customer trust, regulatory non-compliance (e.g., GDPR violations), and financial damage. Organizations in sectors such as e-commerce, media, education, and government that rely on WordPress for content management are particularly vulnerable. The attack requires no authentication and can be automated, increasing the likelihood of exploitation. Given the widespread use of WordPress across Europe and the popularity of the Madara theme/plugin in manga and comic-related websites, the threat could impact both niche and mainstream sites. Additionally, compromised servers could be leveraged as part of larger botnets or used to launch further attacks, amplifying the threat landscape for European entities.

1. Immediate mitigation should include disabling or uninstalling the Madara - Core plugin until a vendor patch is released. 2. If disabling the plugin is not feasible, restrict access to the vulnerable function by implementing web application firewall (WAF) rules that block requests attempting to exploit path traversal patterns targeting the wp_manga_delete_zip() function. 3. Harden file system permissions to ensure that the web server user has minimal privileges, preventing deletion of critical files outside designated directories. 4. Monitor web server logs for suspicious requests containing path traversal sequences (e.g., ../) and unusual file deletion activities. 5. Maintain regular backups of website files and configurations to enable rapid restoration in case of file deletion. 6. Follow vendor communications closely and apply official patches as soon as they become available. 7. Conduct a security audit of all WordPress plugins and themes to identify and remediate other potential vulnerabilities. 8. Employ intrusion detection systems (IDS) to detect anomalous behavior indicative of exploitation attempts. These steps go beyond generic advice by focusing on immediate containment, proactive monitoring, and minimizing the attack surface until a patch is available.