Platform
wordpress
Component
hackrepair-plugin-archiver
Fixed in
2.0.5
CVE-2025-10176 describes an arbitrary file deletion vulnerability discovered in The Hack Repair Guy's Plugin Archiver WordPress plugin. This flaw allows authenticated administrators to delete arbitrary files on the server, potentially leading to remote code execution if critical files like wp-config.php are targeted. The vulnerability affects versions 0.0 through 2.0.4 and a patch is expected to be released shortly.
The primary impact of CVE-2025-10176 is the potential for remote code execution. By exploiting this vulnerability, an attacker with administrator privileges can delete arbitrary files on the WordPress server. The most critical scenario involves deleting wp-config.php, which contains sensitive database credentials and configuration settings. Loss of this file would effectively disable the WordPress site and could allow an attacker to gain complete control over the server. Furthermore, deletion of other critical system files could lead to denial of service or further compromise of the system. This vulnerability shares similarities with other file deletion vulnerabilities where improper input validation allows attackers to bypass security controls.
CVE-2025-10176 was publicly disclosed on 2025-09-12. Currently, there are no known public proof-of-concept exploits available, but the ease of exploitation given administrator access suggests a medium probability of exploitation. The vulnerability has not been added to the CISA KEV catalog as of this writing. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
1.03% (77% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-10176 is to upgrade the Plugin Archiver plugin to a patched version as soon as it becomes available. Until a patch is released, consider disabling the plugin entirely to prevent exploitation. As a temporary workaround, restrict file access permissions on the WordPress server to minimize the potential impact of a successful attack. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the plugin's endpoints. Monitor WordPress logs for unusual file deletion activity. After upgrading, verify the fix by attempting to access and delete a non-critical file through the plugin's interface to ensure proper validation is in place.
Actualice el plugin The Hack Repair Guy's Plugin Archiver a la última versión disponible para solucionar la vulnerabilidad de eliminación arbitraria de archivos. Verifique que las actualizaciones automáticas de plugins estén habilitadas en WordPress o descargue la última versión desde el repositorio oficial de WordPress.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-10176 is a vulnerability in The Hack Repair Guy's Plugin Archiver WordPress plugin allowing authenticated administrators to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using The Hack Repair Guy's Plugin Archiver WordPress plugin in versions 0.0 through 2.0.4.
Upgrade the Plugin Archiver plugin to a patched version as soon as it becomes available. Disable the plugin as a temporary workaround.
There are currently no known public exploits, but the vulnerability's ease of exploitation suggests a medium probability of exploitation.
Refer to the Plugin Archiver plugin's official website or WordPress.org plugin repository for updates and advisories related to CVE-2025-10176.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.