CVE-2025-6043 in Malcure Malware Scanner Plugin
Summary
by MITRE • 07/16/2025
The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 16.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/16/2025
The CVE-2025-6043 vulnerability affects the Malcure Malware Scanner plugin for WordPress, which is marketed as the #1 toolset for WordPress malware removal. This plugin is widely used by WordPress administrators to detect and remove malicious code from their websites. The vulnerability stems from a critical authorization flaw in the wpmr_delete_file() function that handles file deletion operations within the plugin's codebase. The issue exists in all versions up to and including 16.8, making it a persistent threat across multiple releases of this security tool. The vulnerability is particularly concerning because it transforms what should be a protective security plugin into a potential attack vector that can be exploited by malicious actors.
The technical flaw in the wpmr_delete_file() function represents a classic privilege escalation vulnerability where proper capability checks are missing from the code implementation. This function fails to validate whether the authenticated user has appropriate permissions to perform file deletion operations, allowing any user with Subscriber-level access or higher to execute destructive file removal commands. The vulnerability specifically requires that advanced mode be enabled on the WordPress site for exploitation to occur, which suggests that the plugin's security controls are intentionally bypassed in certain configurations. This creates a scenario where legitimate site administrators might unknowingly enable features that expose their systems to greater risk.
The operational impact of this vulnerability is severe and multifaceted, as it enables authenticated attackers to perform arbitrary file deletions that can lead to complete system compromise. When combined with the ability to delete critical system files, this vulnerability can facilitate remote code execution and complete takeover of the affected WordPress installation. Attackers with Subscriber-level access can target not just malware-related files but potentially core WordPress files, plugin files, or theme files that could disrupt service availability or create backdoor access points. This vulnerability essentially provides attackers with a powerful weapon to destabilize WordPress sites and can be leveraged to establish persistent access to compromised systems.
This vulnerability aligns with CWE-284, which describes improper access control mechanisms that allow unauthorized users to access resources or perform operations they should not be permitted to execute. The flaw demonstrates how security controls can be bypassed through missing authorization checks, creating a dangerous situation where legitimate users gain elevated privileges beyond their intended access levels. From an attacker's perspective, this vulnerability maps to several ATT&CK techniques including privilege escalation and persistence mechanisms, where attackers can delete critical files to maintain access or disrupt system operations. The requirement for advanced mode to be enabled suggests that the plugin developers may have implemented additional security controls that can be bypassed by disabling certain protections, creating a false sense of security for administrators who enable advanced features without fully understanding the implications.
The recommended mitigation strategy involves immediate patching of the Malcure plugin to version 16.9 or later, which should contain the necessary capability checks to prevent unauthorized file deletion operations. Administrators should also consider disabling advanced mode if it is not strictly required for their security operations, as this configuration reduces the attack surface. Additionally, implementing proper access control measures through WordPress user role management can help limit the potential impact of such vulnerabilities. Regular security audits of installed plugins and monitoring for unauthorized file changes should be conducted to detect and respond to potential exploitation attempts. Organizations should also maintain comprehensive backup strategies that allow for rapid recovery from file deletion attacks, as this vulnerability can result in complete system compromise if exploited successfully.