Malcure Advanced Edition v17.1.1 Fixes CVE-2025-6043

Today we have released Malcure Advanced Edition v17.1.1, which addresses CVE‑2025‑6043—a file deletion vulnerability that could be triggered only by authenticated users (Subscriber-level or higher) and only when the licensed Advanced Edition is enabled. If you are using version 16.8 or earlier with a valid license, please update immediately to protect your site from potential file integrity issues.

In order to successfully execute this vulnerability, all the following conditions have to be met:

  1. A user must have purchased a valid license key for Malcure Advanced Edition.
  2. The license should be activated on the target system and plugin.
  3. The user should be authenticated and logged into the target WordPress website.

 If this is not the case, this vulnerability will not affect you. 

Summary

CVE‑2025‑6043 identifies a missing authorization vulnerability in the wpmr_delete_file() function of Malcure Advanced Edition (activated via purchased license). Authenticated users (Subscriber-level and above) could delete arbitrary, plugin-managed files. This issue is resolved in v17.1.1.

Affected Setup

  • Present in versions v16.8 and below, with Advanced Edition license purchased and enabled.
  • Exploitable only by authenticated users with Subscriber-level access or higher—not by public visitors (Vulmon).
  • The base plugin (without license activation) remains unaffected.

Impact Assessment

  • Integrity: High — deletion of critical files can compromise or destabilize the entire site, including the potential for unauthorized site reinstallation and admin account creation.
  • Availability: High — deletion of essential files such as wp-config.php can result in complete site outage, preventing both users and administrators from accessing the site until manual restoration.
  • Confidentiality: None — this vulnerability does not expose or leak sensitive data, but enables file removal.
  • Overall Severity: High — due to the risk of full site downtime and takeover if exploited.

Malcure Advanced Edition v17.1.1 is available now. Update immediately:

  1. Navigate to Plugins → Installed Plugins in WordPress admin.
  2. Select Malcure Advanced Edition, click Update now, or manually upload v17.1.1.
  3. If unable to update immediately, disable Advanced Edition license.

Disclosure Timeline

  • July 15, 2025 – Publicly disclosed the vulnerability (wiz.io).
  • July 16, 2025 – Patch released in v17.1.1 and advisory published.

Technical Summary

Authenticated users could bypass capability checks in wpmr_delete_file() under Advanced Edition, leading to deletion of plugin-managed files. While this could theoretically enable remote code execution, it remains a complex exploitation path with strict preconditions (Vulmon).

Table of Contents

  1. Summary
  2. Affected Setup
  3. Impact Assessment
  4. Fix & Recommended Actions
  5. Disclosure Timeline
  6. Technical Summary

Written by
Principal Security Researcher, Malcure Web Security

Shiv has worked in security and infrastructure since 2002, with hands-on experience across enterprise network security, incident response, problem coordination, triage management, Windows and Linux systems provisioning, scripting automation, Nginx, ModSecurity, reverse proxies, web application firewalls, WordPress malware removal, malicious redirect cleanup, SEO spam remediation, WP-CLI workflows, vulnerability response, and website hardening. His research informs Malcure’s malware detection, cleanup, and hardening methodology.

Need help with restoring your hacked site?

Our dedicated incident response team, state-of-the-art technology, and excellent customer service makes sure that your website is 100% clean and secure.

Request Malware Cleanup →