Plateforme
wordpress
Composant
wp-manga-theme-madara
Corrigé dans
2.2.4
CVE-2025-7712 represents a critical Arbitrary File Access vulnerability affecting the Madara - Core plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, posing a significant risk of remote code execution. The vulnerability impacts versions 0.0.0 through 2.2.3 of the plugin, and a fix is available in version 2.2.4.
The impact of CVE-2025-7712 is severe due to its potential for remote code execution. An attacker can exploit this vulnerability by crafting a malicious request to delete critical files, such as wp-config.php. Deletion of wp-config.php would effectively grant the attacker complete control over the WordPress installation, enabling them to modify the database, upload malicious code, and compromise the entire website. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. Successful exploitation could lead to data breaches, website defacement, and complete system takeover.
CVE-2025-7712 has been publicly disclosed and is considered a high-priority vulnerability. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. The vulnerability's ease of exploitation and potential for RCE suggest a high probability of active exploitation campaigns. The vulnerability was published on 2025-07-17. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Madara - Core plugin, particularly those running versions 0.0.0 through 2.2.3, are at significant risk. Shared hosting environments where file permissions are less restrictive are especially vulnerable, as are websites with outdated or unpatched WordPress installations.
• wordpress / composer / npm:
grep -r 'wp_manga_delete_zip' /var/www/html/wp-content/plugins/madara-core/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/madara-core/ | grep -i '2.2.3' # Check versiondisclosure
Statut de l'Exploit
EPSS
4.13% (percentile 89%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-7712 is to immediately upgrade the Madara - Core plugin to version 2.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of the file deletion, restricting file access permissions on the server and carefully reviewing file upload configurations can help reduce the attack surface. Regularly scan the WordPress installation for unauthorized files and monitor server logs for suspicious activity related to file deletion attempts. After upgrading, confirm the fix by attempting a file deletion request through the plugin's interface and verifying that the request is properly rejected.
Mettez à jour le plugin Madara - Core à la version 2.2.4 ou supérieure pour atténuer la vulnérabilité de suppression arbitraire de fichiers. Cette mise à jour corrige la validation des chemins d'accès aux fichiers, empêchant ainsi les attaquants non authentifiés de supprimer des fichiers sensibles sur le serveur, tels que wp-config.php.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-7712 is a CRITICAL vulnerability in the Madara - Core WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if you are using Madara - Core plugin versions 0.0.0 through 2.2.3. Upgrade immediately.
Upgrade the Madara - Core plugin to version 2.2.4 or later. If upgrading is not possible, implement temporary workarounds like restricting file access permissions.
While not confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation campaigns.
Refer to the official Madara - Core plugin website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.