Malcure Advanced Edition v16.9 Fixes CVE-2025-7772: Authenticated File-Read Vulnerability

Malcure Malware Scanner v16.9 addresses CVE‑2025‑7772, an authenticated arbitrary file‑read vulnerability that affects all installations of the plugin up to version 16.8. Authenticated users with Subscriber-level access (or higher) could exploit the wpmr_inspect_file() function to read any file on the server—potentially exposing critical data such as configuration or credential files. This issue has been fully resolved in v16.9, and we strongly recommend that all users update immediately. (Vulmon)

In order to successfully execute this vulnerability, all the following conditions have to be met:

Malcure Malware Removal plugin should be installed and activated on the target WordPress system.
The user should be authenticated and logged into the target WordPress website.

If this is not the case, this vulnerability will not affect you.

Summary

CVE‑2025‑7772 is an authenticated arbitrary file-read vulnerability caused by a missing capability check in the wpmr_inspect_file() function. Authenticated users with Subscriber-level or higher access could read arbitrary files from the server. The issue affects all installations up to v16.8, regardless of Advanced Edition licensing. The vulnerability is fully resolved in v16.9. (Vulmon)

Affected Configurations

All versions up to and including v16.8, whether free or licensed Advanced Edition
Requires authenticated Subscriber-level (or higher) users — not exploitable by unauthenticated visitors (Vulmon)
Sites without logged-in users are not impacted

Impact Assessment

Confidentiality: High — allows reading arbitrary server files (database credentials, config files) ([X (formerly Twitter)][2], Vulmon)
Integrity: None — no file modification ability
Availability: None — no disruption to service
Overall Severity: Medium (CVSS 3.1: 6.5) ([GitHub][3], Vulmon)

Remediation & Recommended Actions

Users must update immediately to v16.9:

Navigate to Plugins → Installed Plugins in WordPress admin.
Locate Malcure Malware Scanner and click “Update now”, or upload v16.9 manually.
If updating is not immediately possible, consider disabling the plugin entirely until patched.

Disclosure Timeline

June 11, 2025 – Malcure v16.9 released to address the vulnerability
July 12, 2025 – CVE‑2025‑7772 published and recorded in Vulnmon with a base score of 6.5 (Medium)

Why This Matters

Malicious authenticated users could previously access sensitive configuration and credential files. This update restores proper authorization checks and protects against unauthorized file access.

If you are using Malcure Malware Scanner v16.8 or earlier, update to v16.9 immediately.

For help, please contact our support team or consult the included release notes in the plugin.

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.