प्लेटफ़ॉर्म
wordpress
घटक
vikinger
में ठीक किया गया
1.9.33
CVE-2025-4946 is an arbitrary file deletion vulnerability affecting the Vikinger WordPress theme. This flaw allows authenticated users with Subscriber-level access or higher to delete arbitrary files on the server. Successful exploitation can lead to remote code execution, particularly if critical configuration files like wp-config.php are targeted. The vulnerability impacts versions 0.0.0 through 1.9.32 of the Vikinger theme and requires the Vikinger Media plugin to be installed and active.
The primary impact of CVE-2025-4946 is the potential for remote code execution (RCE). While the vulnerability requires authentication, the relatively low privilege level (Subscriber) makes it accessible to a significant portion of WordPress users. An attacker could delete critical files, such as wp-config.php, which contains sensitive database credentials and configuration settings. Deletion of this file would effectively disable the WordPress site and potentially allow the attacker to gain control of the database and server. The Vikinger Media plugin dependency expands the attack surface, as the vulnerability is tied to its functionality. The ease of file deletion, combined with the potential for RCE, makes this a high-risk vulnerability.
CVE-2025-4946 was publicly disclosed on 2025-07-02. As of this date, no public proof-of-concept (PoC) exploits have been released, but the vulnerability's ease of exploitation suggests that PoCs are likely to emerge. The EPSS score is likely to be medium due to the relatively low privilege requirement and potential for RCE. The vulnerability is not currently listed on the CISA KEV catalog.
WordPress websites using the Vikinger theme, particularly those with the Vikinger Media plugin installed and active, are at risk. Sites with weak password policies or overly permissive user roles are especially vulnerable, as an attacker could easily gain Subscriber-level access. Shared hosting environments where multiple WordPress sites share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r 'vikinger_delete_activity_media_ajax' /var/www/html/wp-content/plugins/• wordpress / composer / npm:
wp plugin list | grep vikinger• wordpress / composer / npm:
curl -I http://your-wordpress-site.com/wp-admin/admin-ajax.php?action=vikinger_delete_activity_media_ajax | grep -i '200 OK'disclosure
एक्सप्लॉइट स्थिति
EPSS
2.19% (84% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-4946 is to upgrade the Vikinger WordPress theme to a patched version. The vendor has not yet released a fixed version, so immediate action is required. As a temporary workaround, restrict file permissions on sensitive files like wp-config.php to prevent unauthorized access and modification. Consider implementing a Web Application Firewall (WAF) with rules to block suspicious file deletion requests targeting the vikingerdeleteactivitymediaajax() endpoint. Regularly review WordPress user roles and permissions to ensure that only authorized users have access to administrative functions. After upgrading, verify the integrity of the WordPress installation by checking for any unauthorized file modifications and confirming that the Vikinger Media plugin is functioning as expected.
Actualice el tema Vikinger a una versión posterior a 1.9.32 para mitigar la vulnerabilidad de eliminación arbitraria de archivos. Asegúrese de que el plugin Vikinger Media también esté actualizado. Verifique los permisos de los archivos y directorios para limitar el acceso y reducir el riesgo de explotación.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-4946 is a HIGH severity vulnerability in the Vikinger WordPress theme allowing authenticated users to delete arbitrary files, potentially leading to remote code execution if critical files like wp-config.php are targeted. It affects versions 0.0.0–1.9.32.
You are affected if your WordPress site uses the Vikinger theme, specifically versions 0.0.0 through 1.9.32, and the Vikinger Media plugin is installed and active. Check your theme version immediately.
Upgrade the Vikinger WordPress theme to a patched version as soon as it becomes available. Until then, restrict file permissions and consider using a WAF to mitigate the risk.
While no public exploits have been released yet, the vulnerability's ease of exploitation suggests active exploitation is possible. Monitor your systems closely.
Check the official Vikinger WordPress theme website and the WordPress plugin repository for updates and advisories related to CVE-2025-4946.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।