CVE-2025-6043
BaseFortify
Publication date: 2025-07-16
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| malcure | malware_scanner | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Malcure Malware Scanner plugin for WordPress, where a missing capability check in the wpmr_delete_file() function allows authenticated users with Subscriber-level access or higher to delete arbitrary files. This can lead to remote code execution if advanced mode is enabled on the site.
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can delete arbitrary files on the affected WordPress site, potentially leading to remote code execution. This can compromise the site's integrity, availability, and security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately disable advanced mode on the affected WordPress site to prevent exploitation. Additionally, restrict or review user roles to ensure that Subscriber-level users do not have unnecessary access. Update the Malcure Malware Scanner plugin to a version later than 16.8 once available to ensure the missing capability check is implemented.