--- title: "Malcure Advanced Edition v17.1.1 Fixes CVE-2025-6043" date: 2025-07-15 author: "Shiv" featured_image: "https://malcure.com/wp-content/uploads/2025/07/malcure-advanced-edition-v1711-fixes-cve20256043.jpg" categories: - name: "Security" url: "/blog/security.md" --- # Malcure Advanced Edition v17.1.1 Fixes CVE-2025-6043 Today we have released Malcure Advanced Edition v17.1.1, which addresses CVE‑2025‑6043—a file deletion vulnerability that could be triggered **only** by authenticated users (Subscriber-level or higher) and **only** when the licensed Advanced Edition is enabled. If you are using version 16.8 or earlier with a valid license, please update immediately to protect your site from potential file integrity issues. In order to successfully execute this vulnerability, all the following conditions have to be met: 1. A user must have purchased a valid license key for Malcure Advanced Edition. 2. The license should be activated on the target system and plugin. 3. The user should be authenticated and logged into the target WordPress website. **If this is not the case, this vulnerability will not affect you.** ### Summary CVE‑2025‑6043 identifies a **missing authorization vulnerability** in the `wpmr_delete_file()` function of **Malcure Advanced Edition** (activated via purchased license). Authenticated users (Subscriber-level and above) could delete arbitrary, plugin-managed files. This issue is resolved in **v17.1.1**. --- ### Affected Setup - Present in versions **v16.8 and below**, with **Advanced Edition** license purchased and enabled. - Exploitable only by **authenticated** users with Subscriber-level access or higher—**not** by public visitors ([Vulmon](https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-6043 "CVE-2025-6043 - Arbitrary File Deletion in Malcure Malware…")). - The base plugin (without license activation) remains unaffected. --- ### Impact Assessment - **Integrity:** High — deletion of critical files can compromise or destabilize the entire site, including the potential for unauthorized site reinstallation and admin account creation. - **Availability:** High — deletion of essential files such as wp-config.php can result in complete site outage, preventing both users and administrators from accessing the site until manual restoration. - **Confidentiality:** None — this vulnerability does not expose or leak sensitive data, but enables file removal. - **Overall Severity:** High — due to the risk of full site downtime and takeover if exploited. --- ### Fix & Recommended Actions **Malcure Advanced Edition v17.1.1** is available now. Update immediately: 1. Navigate to **Plugins → Installed Plugins** in WordPress admin. 2. Select **Malcure Advanced Edition**, click **Update now**, or manually upload **v17.1.1**. 3. If unable to update immediately, **disable Advanced Edition** license. --- ### Disclosure Timeline - **July 15, 2025** – Publicly disclosed the vulnerability ([wiz.io](https://www.wiz.io/vulnerability-database/cve/cve-2025-6043 "CVE-2025-6043 Impact, Exploitability, and Mitigation Steps | Wiz")). - **July 16, 2025** – Patch released in **v17.1.1** and advisory published. --- ### Technical Summary Authenticated users could bypass capability checks in `wpmr_delete_file()` under Advanced Edition, leading to deletion of plugin-managed files. While this could theoretically enable remote code execution, it remains a **complex exploitation path** with strict preconditions ([Vulmon](https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-6043 "CVE-2025-6043 - Arbitrary File Deletion in Malcure Malware…")).