プラットフォーム
wordpress
コンポーネント
wp-manga-theme-madara
修正版
2.2.4
CVE-2025-7712 represents a critical Arbitrary File Access vulnerability affecting the Madara - Core plugin for WordPress. This flaw allows unauthenticated attackers to delete files on the server, posing a significant risk of remote code execution. The vulnerability impacts versions 0.0.0 through 2.2.3 of the plugin, and a fix is available in version 2.2.4.
The impact of CVE-2025-7712 is severe due to its potential for remote code execution. An attacker can exploit this vulnerability by crafting a malicious request to delete critical files, such as wp-config.php. Deletion of wp-config.php would effectively grant the attacker complete control over the WordPress installation, enabling them to modify the database, upload malicious code, and compromise the entire website. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. Successful exploitation could lead to data breaches, website defacement, and complete system takeover.
CVE-2025-7712 has been publicly disclosed and is considered a high-priority vulnerability. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. The vulnerability's ease of exploitation and potential for RCE suggest a high probability of active exploitation campaigns. The vulnerability was published on 2025-07-17. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the Madara - Core plugin, particularly those running versions 0.0.0 through 2.2.3, are at significant risk. Shared hosting environments where file permissions are less restrictive are especially vulnerable, as are websites with outdated or unpatched WordPress installations.
• wordpress / composer / npm:
grep -r 'wp_manga_delete_zip' /var/www/html/wp-content/plugins/madara-core/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/madara-core/ | grep -i '2.2.3' # Check versiondisclosure
エクスプロイト状況
EPSS
4.13% (89% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-7712 is to immediately upgrade the Madara - Core plugin to version 2.2.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While a direct WAF rule is difficult to implement due to the nature of the file deletion, restricting file access permissions on the server and carefully reviewing file upload configurations can help reduce the attack surface. Regularly scan the WordPress installation for unauthorized files and monitor server logs for suspicious activity related to file deletion attempts. After upgrading, confirm the fix by attempting a file deletion request through the plugin's interface and verifying that the request is properly rejected.
Madara - Coreプラグインをバージョン2.2.4以降にアップデートすることで、任意のファイル削除の脆弱性を軽減できます。このアップデートにより、ファイルパスの検証が修正され、認証されていない攻撃者がサーバー上の機密ファイル (wp-config.phpなど) を削除することを防ぎます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-7712 is a CRITICAL vulnerability in the Madara - Core WordPress plugin allowing unauthenticated attackers to delete files, potentially leading to remote code execution.
You are affected if you are using Madara - Core plugin versions 0.0.0 through 2.2.3. Upgrade immediately.
Upgrade the Madara - Core plugin to version 2.2.4 or later. If upgrading is not possible, implement temporary workarounds like restricting file access permissions.
While not confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation campaigns.
Refer to the official Madara - Core plugin website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。