A new vulnerability, CVE-2025-6043, has been discovered in the Malcure Malware Scanner plugin for WordPress, a popular security tool used by over 10,000 websites to detect and remove malware. Security researchers from Wordfence disclosed this flaw on July 15, 2025, identifying it as a high-severity issue rated 8.1 on the CVSS scale. The vulnerability, tracked under CVE-2025-6043, remains unpatched as of July 16, 2025.
The issue lies in versions up to and including 16.8 of the plugin. The vulnerability allows authenticated users, even those with the lowest level of access, such as “subscribers”, to exploit a function called wpmr_delete_file() that lacks proper capability checks. If exploited, this flaw can result in arbitrary file deletion on the server, potentially leading to remote code execution, especially if advanced mode is enabled on the affected site.
What Makes CVE-2025-6043 Dangerous?
“This vulnerability is particularly concerning because the ‘subscriber’ role is often the default for registered users on many WordPress sites,” said Arkadiusz Hydzik, the security researcher credited with discovering the flaw.
The vulnerability falls under the classification of missing authorization, with the attack vector categorized as network-based (AV:N), requiring low complexity (AC:L) and low privileges (PR:L) to exploit. Notably, no user interaction (UI:N) is required, which means an attacker can exploit the flaw without tricking users into taking any actions.
Despite being a well-regarded plugin described as the “#1 Toolset for WordPress Malware Removal,” the Malcure Malware Scanner’s lack of proper access control in this function exposes websites to serious risk. Given the plugin’s reputation and widespread usage, this vulnerability, CVE-2025-6043, has gained attention within the WordPress and cybersecurity communities.
No Patch Released
Unfortunately, no official patch has been released by the developers of the Malcure Malware Scanner plugin as of this writing. Wordfence has advised users to consider disabling or uninstalling the plugin until a fix is provided, especially if their websites allow user registrations.
Security professionals are urging site owners to evaluate their risk tolerance and take proactive measures. This includes monitoring user activity, disabling unnecessary user registrations, or switching to alternative malware scanning solutions with a stronger security record.
The vulnerability is particularly dangerous when combined with advanced configurations of the plugin, such as “advanced mode,” which may elevate the impact of unauthorized file deletions. These deletions could potentially corrupt site functionality, erase critical configuration files, or open doors for further exploitation, including uploading malicious scripts or backdoors.
For now, WordPress administrators are advised to stay updated with the latest threat intelligence and keep a close watch on plugin updates. Until a secure version is released, using the Malcure Malware Scanner plugin in a production environment remains at risk.
Conclusion
The discovery of CVE-2025-6043 highlights the importance of regular plugin audits and enforcing the principle of least privilege for user roles. Disclosed on July 15, 2025, the flaw allows subscriber-level users to delete arbitrary files due to missing access controls, posing a serious threat to affected sites. With no patch currently available, users are strongly advised to uninstall or replace the plugin to mitigate risk.
