--- title: "Malcure Advanced Edition v16.9 Fixes CVE-2025-7772: Authenticated File-Read Vulnerability" date: 2025-06-11 author: "Shiv" featured_image: "https://malcure.com/wp-content/uploads/2025/07/malcure-advanced-edition-v169-fixes-cve-2025-7772-authenticated-file-read-vulnerability-scaled.jpg" categories: - name: "Security" url: "/blog/security.md" --- # Malcure Advanced Edition v16.9 Fixes CVE-2025-7772: Authenticated File-Read Vulnerability Malcure Malware Scanner **v16.9** addresses **CVE‑2025‑7772**, an authenticated arbitrary file‑read vulnerability that affects all installations of the plugin up to version 16.8. Authenticated users with Subscriber-level access (or higher) could exploit the `wpmr_inspect_file()` function to read any file on the server—potentially exposing critical data such as configuration or credential files. This issue has been fully resolved in v16.9, and we strongly recommend that all users update immediately. ([Vulmon](https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2025-7772 "CVE-2025-7772 : Arbitrary File Read Vulnerability in Malcure ...")) In order to successfully execute this vulnerability, all the following conditions have to be met: 1. Malcure Malware Removal plugin should be installed and activated on the target WordPress system. 2. The user should be authenticated and logged into the target WordPress website. **If this is not the case, this vulnerability will not affect you.** ### Summary CVE‑2025‑7772 is an **authenticated arbitrary file-read vulnerability** caused by a missing capability check in the `wpmr_inspect_file()` function. Authenticated users with Subscriber-level or higher access could read arbitrary files from the server. The issue affects all installations up to **v16.8**, regardless of Advanced Edition licensing. The vulnerability is fully resolved in **v16.9**. ([Vulmon](https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2025-7772 "CVE-2025-7772 : Arbitrary File Read Vulnerability in Malcure ...")) --- ### Affected Configurations - All versions up to and including **v16.8**, whether free or licensed Advanced Edition - Requires **authenticated Subscriber-level** (or higher) users — not exploitable by unauthenticated visitors ([Vulmon](https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2025-7772 "CVE-2025-7772 : Arbitrary File Read Vulnerability in Malcure ...")) - Sites without logged-in users are not impacted --- ### Impact Assessment - **Confidentiality:** High — allows reading arbitrary server files (database credentials, config files) (\[X (formerly Twitter)\]\[2\], [Vulmon](https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2025-7772 "CVE-2025-7772 : Arbitrary File Read Vulnerability in Malcure ...")) - **Integrity:** None — no file modification ability - **Availability:** None — no disruption to service - **Overall Severity:** Medium (CVSS 3.1: 6.5) (\[GitHub\]\[3\], [Vulmon](https://www.vulmon.com/vulnerabilitydetails?qid=CVE-2025-7772 "CVE-2025-7772 : Arbitrary File Read Vulnerability in Malcure ...")) --- ### Remediation & Recommended Actions Users must **update immediately** to **v16.9**: 1. Navigate to **Plugins → Installed Plugins** in WordPress admin. 2. Locate **Malcure Malware Scanner** and click **“Update now”**, or upload **v16.9** manually. 3. If updating is not immediately possible, consider disabling the plugin entirely until patched. --- ### Disclosure Timeline - **June 11, 2025** – Malcure **v16.9** released to address the vulnerability - **July 12, 2025** – CVE‑2025‑7772 published and recorded in Vulnmon with a base score of 6.5 (Medium) --- ### Why This Matters Malicious authenticated users could previously access sensitive configuration and credential files. This update restores proper authorization checks and protects against unauthorized file access. --- **If you are using Malcure Malware Scanner v16.8 or earlier, update to v16.9 immediately.** For help, please contact our support team or consult the included release notes in the plugin.