Malcure Advanced Edition v17.1.1 Fixes CVE-2025-6043

Today we have released Malcure Advanced Edition v17.1.1, which addresses CVE‑2025‑6043—a file deletion vulnerability that could be triggered only by authenticated users (Subscriber-level or higher) and only when the licensed Advanced Edition is enabled. If you are using version 16.8 or earlier with a valid license, please update immediately to protect your site from potential file integrity issues.

In order to successfully execute this vulnerability, all the following conditions have to be met:

  1. A user must have purchased a valid license key for Malcure Advanced Edition.
  2. The license should be activated on the target system and plugin.
  3. The user should be authenticated and logged into the target WordPress website.

 If this is not the case, this vulnerability will not affect you. 

Summary

CVE‑2025‑6043 identifies a missing authorization vulnerability in the wpmr_delete_file() function of Malcure Advanced Edition (activated via purchased license). Authenticated users (Subscriber-level and above) could delete arbitrary, plugin-managed files. This issue is resolved in v17.1.1.

Affected Setup

  • Present in versions v16.8 and below, with Advanced Edition license purchased and enabled.
  • Exploitable only by authenticated users with Subscriber-level access or higher—not by public visitors (Vulmon).
  • The base plugin (without license activation) remains unaffected.

Impact Assessment

  • Integrity: High — deletion of critical files can compromise or destabilize the entire site, including the potential for unauthorized site reinstallation and admin account creation.
  • Availability: High — deletion of essential files such as wp-config.php can result in complete site outage, preventing both users and administrators from accessing the site until manual restoration.
  • Confidentiality: None — this vulnerability does not expose or leak sensitive data, but enables file removal.
  • Overall Severity: High — due to the risk of full site downtime and takeover if exploited.

Malcure Advanced Edition v17.1.1 is available now. Update immediately:

  1. Navigate to Plugins → Installed Plugins in WordPress admin.
  2. Select Malcure Advanced Edition, click Update now, or manually upload v17.1.1.
  3. If unable to update immediately, disable Advanced Edition license.

Disclosure Timeline

  • July 15, 2025 – Publicly disclosed the vulnerability (wiz.io).
  • July 16, 2025 – Patch released in v17.1.1 and advisory published.

Technical Summary

Authenticated users could bypass capability checks in wpmr_delete_file() under Advanced Edition, leading to deletion of plugin-managed files. While this could theoretically enable remote code execution, it remains a complex exploitation path with strict preconditions (Vulmon).

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.

Need help with restoring your hacked site?

Our dedicated incident response team, state-of-the-art technology, and excellent customer service makes sure that your website is 100% clean and secure.

Request Malware Cleanup →