CVE-2025-9048
BaseFortify
Publication date: 2025-08-23
Last updated on: 2025-08-25
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wptobe-memberships | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Wptobe-memberships WordPress plugin (up to version 3.4.2) where an authenticated user with Subscriber-level access or higher can delete arbitrary files on the server. The issue arises because the del_img_ajax_call() function does not properly validate the file path before deleting files specified by user input. This lack of validation allows attackers to delete critical files, such as wp-config.php, potentially leading to remote code execution. [1]
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can exploit this vulnerability to delete arbitrary files on the server hosting the WordPress site. This can disrupt website functionality, cause data loss, or lead to remote code execution if critical files like wp-config.php are deleted. The impact includes potential website downtime, unauthorized control over the server, and compromise of sensitive data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for AJAX requests to the endpoints 'wp_ajax_del_img_ajax_call' or 'wp_ajax_user_del_img_admin_ajax_call' that attempt to delete files. On the server, you can check web server logs for POST requests containing parameters like 'img' that specify file paths. Additionally, inspecting WordPress user activity logs for Subscriber-level users performing file deletion actions may help. There are no specific commands provided, but you can use tools like 'grep' on access logs to find suspicious POST requests, e.g., grep 'del_img_ajax_call' /var/log/apache2/access.log. Also, scanning for unexpected deletions of critical files such as 'wp-config.php' can indicate exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the vulnerable AJAX actions 'del_img_ajax_call' and 'user_del_img_admin_ajax_call' until a patch is applied. Limit file deletion capabilities to trusted users by adding proper capability checks and nonce verification in the AJAX handlers. Updating the Wptobe-memberships plugin to a version later than 3.4.2 that fixes the issue is recommended once available. As a temporary measure, monitor and restrict Subscriber-level users from performing file deletion actions and ensure proper backups of critical files like 'wp-config.php' are maintained. [1]