CVE-2025-9048
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-23

Last updated on: 2025-08-25

Assigner: Wordfence

Description
The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-23
Last Modified
2025-08-25
Generated
2026-06-16
AI Q&A
2025-08-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9048
EUVD
EUVD-2025-25736
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress wptobe-memberships *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Wptobe-memberships WordPress plugin (up to version 3.4.2) where an authenticated user with Subscriber-level access or higher can delete arbitrary files on the server. The issue arises because the del_img_ajax_call() function does not properly validate the file path before deleting files specified by user input. This lack of validation allows attackers to delete critical files, such as wp-config.php, potentially leading to remote code execution. [1]

Impact Analysis

An attacker with at least Subscriber-level access can exploit this vulnerability to delete arbitrary files on the server hosting the WordPress site. This can disrupt website functionality, cause data loss, or lead to remote code execution if critical files like wp-config.php are deleted. The impact includes potential website downtime, unauthorized control over the server, and compromise of sensitive data. [1]

Detection Guidance

This vulnerability can be detected by monitoring for AJAX requests to the endpoints 'wp_ajax_del_img_ajax_call' or 'wp_ajax_user_del_img_admin_ajax_call' that attempt to delete files. On the server, you can check web server logs for POST requests containing parameters like 'img' that specify file paths. Additionally, inspecting WordPress user activity logs for Subscriber-level users performing file deletion actions may help. There are no specific commands provided, but you can use tools like 'grep' on access logs to find suspicious POST requests, e.g., grep 'del_img_ajax_call' /var/log/apache2/access.log. Also, scanning for unexpected deletions of critical files such as 'wp-config.php' can indicate exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the vulnerable AJAX actions 'del_img_ajax_call' and 'user_del_img_admin_ajax_call' until a patch is applied. Limit file deletion capabilities to trusted users by adding proper capability checks and nonce verification in the AJAX handlers. Updating the Wptobe-memberships plugin to a version later than 3.4.2 that fixes the issue is recommended once available. As a temporary measure, monitor and restrict Subscriber-level users from performing file deletion actions and ensure proper backups of critical files like 'wp-config.php' are maintained. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart