New WordPress Vulnerability: CVE-2025-6043 and Its Implications

A recently discovered security vulnerability, identified as CVE-2025-6043, has raised significant alarms within the WordPress community. This flaw has been found in the Malcure Malware Scanner plugin, a widely used tool designed to help over 10,000 websites detect and eliminate malware. Wordfence, a well-known security research team, made this alarming discovery public on July 15, 2025. It has been assigned a high-severity rating of 8.1 on the Common Vulnerability Scoring System (CVSS) scale, and, as of July 16, 2025, no patch has been made available.

Understanding the Vulnerability

The flaw impacts all versions of the Malcure Malware Scanner plugin up to and including version 16.8. The core issue lies in a particular function named wpmr_delete_file(), which lacks adequate capability checks. This means that even authenticated users with the lowest access levels—such as “subscribers”—can exploit this vulnerability. If manipulated, it could lead to unauthorized file deletions on the server. The risk amplifies for websites operating in an advanced configuration mode, which can open doors to remote code execution.

Why is CVE-2025-6043 a Serious Concern?

Arkadiusz Hydzik, the security researcher who uncovered the flaw, commented on the vulnerability’s gravity, particularly noting that the “subscriber” role is a common default setting for registered users on many WordPress sites. This adds an additional layer of risk, as even those with minimal permissions can take advantage of the gap in security.

The vulnerability is classified as a case of missing authorization and is considered network-based (AV:N). It requires low complexity (AC:L) and low privileges (PR:L) for exploitation. Importantly, no user interaction (UI:N) is needed, meaning attackers do not have to trick users into performing any actions to exploit this vulnerability.

Despite its reputation as a leading tool for malware removal—often touted as the “#1 Toolset for WordPress Malware Removal”—the absence of proper access control within this plugin poses a significant threat to websites that rely on it.

Current Status: No Patch Available

As it stands, the developers of the Malcure Malware Scanner have yet to release an official patch for this vulnerability. In light of this, Wordfence recommends that users take precautionary measures. Disabling or uninstalling the plugin is advised, especially for sites that allow user registrations.

Recommended Actions for Site Owners

In response to this security risk, cybersecurity experts urge website owners to reassess their risk tolerance regarding the use of the Malcure plugin. Here are some practical steps to consider:

1. Monitor User Activity: Keep a close eye on registered users and their activities to detect any unusual behavior.

2. Limit User Registrations: If possible, disable user registrations to reduce the number of individuals who could potentially exploit this vulnerability.

3. Explore Alternative Solutions: Consider switching to different malware scanning plugins that offer stronger security capabilities.

The risk escalates further when the plugin is configured in its advanced mode. Unauthorized file deletions, in this case, could disrupt site functionality, delete critical configuration files, or even open pathways for hackers to upload malicious scripts.

Keeping Up with Threat Intelligence

For now, WordPress administrators should remain vigilant and stay informed about the latest cybersecurity developments. Regularly check for updates from the developers of the Malcure Malware Scanner plugin and consider the implications of continuing to use the plugin in a live environment. Until a secure version is released, leveraging this plugin may compromise site security.

Conclusion

The emergence of CVE-2025-6043 serves as a crucial reminder of the need for regular audits of installed plugins and the importance of enforcing strict access controls for user roles. While this vulnerability was disclosed on July 15, 2025, its implications could affect many WordPress sites. Users should take immediate action to protect their websites by uninstalling or replacing the plugin until a fix is available.

Media Disclaimer: This report is based on various internal and external research sources. The information is intended for reference purposes, and users assume full responsibility for its accuracy and any consequences of using it.