Plattform
wordpress
Komponente
hackrepair-plugin-archiver
Behoben in
2.0.5
CVE-2025-10176 describes an arbitrary file deletion vulnerability discovered in The Hack Repair Guy's Plugin Archiver WordPress plugin. This flaw allows authenticated administrators to delete arbitrary files on the server, potentially leading to remote code execution if critical files like wp-config.php are targeted. The vulnerability affects versions 0.0 through 2.0.4 and a patch is expected to be released shortly.
The primary impact of CVE-2025-10176 is the ability for an authenticated administrator to delete arbitrary files on the WordPress server. While the vulnerability is classified as Arbitrary File Access, the potential for remote code execution is significant. Deleting critical files like wp-config.php would effectively compromise the entire WordPress installation, allowing an attacker to gain full control of the server. This could lead to data breaches, website defacement, and further exploitation of the compromised system. The ease of exploitation, combined with the potential for severe consequences, makes this a high-priority vulnerability.
CVE-2025-10176 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet widely available, but the vulnerability's nature and potential impact suggest it could become a target for exploitation. The vulnerability's reliance on administrator privileges may limit its immediate widespread exploitation, but it remains a significant risk for WordPress installations with poorly configured user roles.
WordPress websites utilizing The Hack Repair Guy's Plugin Archiver plugin, particularly those with weak password policies or compromised administrator accounts, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "prepare_items function" /var/www/html/wp-content/plugins/plugin-archiver/• wordpress / composer / npm:
wp plugin list --status=inactive | grep plugin-archiver• wordpress / composer / npm:
wp plugin list | grep plugin-archiver• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-content/plugins/plugin-archiver/ | grep -i 'wp-config.php'disclosure
Exploit-Status
EPSS
1.03% (77% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-10176 is to upgrade The Hack Repair Guy's Plugin Archiver plugin to a patched version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting administrator access to the plugin's file management features. Implement a Web Application Firewall (WAF) rule to block requests attempting to access or delete files outside of designated directories. Regularly review WordPress plugin permissions and ensure the principle of least privilege is enforced. Monitor WordPress logs for suspicious file deletion attempts.
Actualice el plugin The Hack Repair Guy's Plugin Archiver a la última versión disponible para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Verifique que las actualizaciones automáticas de plugins estén habilitadas en WordPress o descargue la última versión desde el repositorio oficial de WordPress.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-10176 is a vulnerability in The Hack Repair Guy's Plugin Archiver WordPress plugin allowing authenticated administrators to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using The Hack Repair Guy's Plugin Archiver WordPress plugin in versions 0.0 through 2.0.4.
Upgrade the Plugin Archiver plugin to a patched version as soon as it becomes available. Disable the plugin as a temporary workaround.
There are currently no known public exploits, but the vulnerability's ease of exploitation suggests a medium probability of exploitation.
Refer to the Plugin Archiver plugin's official website or WordPress.org plugin repository for updates and advisories related to CVE-2025-10176.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.