Platform
wordpress
Component
attachment-manager
Fixed in
2.1.3
A critical vulnerability, CVE-2025-7643, has been identified in the WordPress Attachment Manager plugin. This vulnerability allows for arbitrary file deletion due to insufficient file path validation. Successful exploitation could lead to remote code execution, particularly if critical configuration files like wp-config.php are targeted. The vulnerability affects versions 0.0.0 through 2.1.2, and a patch is available in version 2.1.3.
The impact of CVE-2025-7643 is severe. An unauthenticated attacker can leverage this vulnerability to delete any file accessible to the webserver user. The most critical scenario involves deleting the wp-config.php file, which contains sensitive database credentials and configuration settings. Deletion of this file would effectively disable the WordPress site and potentially expose database information if backups are not properly secured. Furthermore, an attacker could delete other critical files required for WordPress functionality, leading to a complete compromise of the web server. This vulnerability shares similarities with other file deletion vulnerabilities where the attacker gains control by manipulating file paths.
CVE-2025-7643 was publicly disclosed on 2025-07-18. The vulnerability's CRITICAL CVSS score (9.1) reflects the ease of exploitation and potential impact. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's simplicity and high impact. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. This vulnerability has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
4.13% (89% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-7643 is to immediately upgrade the WordPress Attachment Manager plugin to version 2.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file upload permissions for unauthenticated users or implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file paths. Specifically, WAF rules should be configured to deny requests containing path traversal sequences (e.g., ../) in the filename parameter. After upgrading, verify the fix by attempting to access and delete a non-critical file through the plugin's interface to ensure that file path validation is properly enforced.
Update the Attachment Manager plugin to version 2.1.3 or higher to address the arbitrary file deletion vulnerability. This update corrects the inadequate file path validation, preventing unauthenticated attackers from deleting sensitive files on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7643 is a CRITICAL vulnerability in the WordPress Attachment Manager plugin allowing unauthenticated attackers to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using WordPress Attachment Manager version 0.0.0 through 2.1.2. Immediately check your plugin version and upgrade if necessary.
Upgrade the WordPress Attachment Manager plugin to version 2.1.3 or later to remediate the vulnerability. Consider temporary WAF rules as an interim measure.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted. Monitor security advisories and threat intelligence.
Refer to the WordPress Plugin Directory and the Attachment Manager plugin's official website for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.