The Wptobe-memberships plugin for WordPress, widely used for membership management, contains a critical vulnerability identified as CVE-2025-9048. This vulnerability arises from improper validation of file paths in the del_img_ajax_call() function, which handles AJAX requests to delete images. Because the plugin does not adequately sanitize or restrict the file paths provided by authenticated users, attackers with Subscriber-level privileges or higher can craft requests to delete arbitrary files on the web server. This arbitrary file deletion can be leveraged to remove critical WordPress configuration files such as wp-config.php, potentially causing denial of service or enabling remote code execution by disrupting normal site operations or facilitating further exploitation. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication, making it a serious threat to affected sites. The CVSS v3.1 base score of 8.1 reflects a network attack vector with low complexity, requiring privileges but no user interaction, and resulting in high impact on integrity and availability. No patches have been officially released at the time of this report, and no exploits are publicly known, but the risk remains high due to the nature of the flaw and the widespread use of WordPress plugins.

The vulnerability allows attackers with minimal privileges (Subscriber-level) to delete arbitrary files on the server, which can lead to severe consequences including site downtime, loss of data, and potential remote code execution. Deletion of critical files like wp-config.php can disrupt the entire WordPress installation, causing denial of service and enabling attackers to further compromise the system. Organizations relying on the Wptobe-memberships plugin face risks of website defacement, data loss, and reputational damage. The ease of exploitation combined with the high impact on integrity and availability makes this a significant threat to websites using this plugin. Additionally, the breach of file integrity could lead to further attacks such as privilege escalation or malware deployment if attackers manipulate or replace deleted files with malicious ones.

Organizations should immediately audit their WordPress installations to identify the presence of the Wptobe-memberships plugin and its version. Until an official patch is released, administrators should restrict access to the plugin’s AJAX endpoints by implementing web application firewall (WAF) rules that block unauthorized or suspicious requests targeting del_img_ajax_call(). Additionally, review and tighten user role permissions to limit Subscriber-level users’ ability to invoke file deletion functions. Implement file integrity monitoring to detect unauthorized deletions or modifications of critical files like wp-config.php. Regular backups should be maintained and tested to ensure rapid recovery in case of file deletion. Monitoring logs for unusual deletion activity and applying principle of least privilege for user roles can reduce the attack surface. Once a patch is available, prompt application is essential. Consider isolating the WordPress environment using containerization or hardened hosting environments to limit the impact of potential exploitation.