CVE-2025-7778 is a critical security vulnerability identified in the Icons Factory plugin for WordPress, developed by artkrylov. The flaw resides in the delete_files() function, which suffers from improper authorization checks and insufficient path validation. This allows an unauthenticated attacker to invoke the file deletion functionality and specify arbitrary file paths for deletion on the server hosting the WordPress site. Because the plugin does not verify the user's permissions before executing file deletions, attackers can delete any file accessible by the web server process. This includes sensitive files such as wp-config.php, which contains database credentials and other configuration details. Deleting such files can lead to remote code execution (RCE) by enabling attackers to disrupt site functionality or upload malicious payloads through subsequent exploitation steps. The vulnerability affects all versions of the plugin up to and including 1.6.12. The CVSS v3.1 base score is 9.8 (critical), reflecting the ease of exploitation (no authentication or user interaction required), the high impact on confidentiality, integrity, and availability, and the broad scope of affected systems. Although no active exploits have been reported in the wild, the severity and simplicity of exploitation make this a high-priority threat. The vulnerability was reserved in July 2025 and published in August 2025. No official patches or updates are currently linked, indicating that users must monitor vendor communications closely or apply manual mitigations.

The impact of CVE-2025-7778 is severe for organizations running WordPress sites with the vulnerable Icons Factory plugin. Successful exploitation allows attackers to delete arbitrary files on the web server without authentication, potentially leading to complete site compromise. Critical files such as wp-config.php can be deleted, causing site outages and enabling remote code execution through subsequent attack vectors. This compromises the confidentiality of sensitive data (e.g., database credentials), the integrity of website content and configurations, and the availability of the web service. For organizations relying on WordPress for business operations, e-commerce, or customer engagement, this can result in significant downtime, data breaches, reputational damage, and financial losses. The vulnerability also increases the attack surface for further exploitation, including malware deployment and lateral movement within the hosting environment. Given WordPress's widespread use globally, the threat has broad implications for website security and trust.

To mitigate CVE-2025-7778, organizations should take immediate and specific actions beyond generic advice: 1) Disable or uninstall the Icons Factory plugin until a secure patched version is released. 2) If disabling is not feasible, restrict access to the plugin’s file deletion functionality by implementing web application firewall (WAF) rules that block unauthorized requests targeting the delete_files() endpoint or parameters. 3) Harden file system permissions to ensure the web server process has minimal rights, preventing deletion of critical files like wp-config.php. 4) Monitor web server and WordPress logs for suspicious deletion attempts or unusual file access patterns. 5) Regularly back up WordPress files and databases to enable rapid recovery in case of file deletion or compromise. 6) Stay updated with vendor advisories and apply official patches immediately once available. 7) Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts of this vulnerability. 8) Educate site administrators about the risks of installing unverified plugins and the importance of timely updates.