What the vulnerability does
01Description
The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.
Explanation of Vulnerability in Simple Terms
02Summary
Malcure Malware Shield versions 17.0 and earlier lack proper authorization checks, allowing authenticated users to modify or disable critical security functions. An attacker with a low-privilege account can alter malware detection settings, disable monitoring, or trigger denial-of-service conditions. This affects the integrity and availability of the malware protection system itself.
What an attacker can do
03Attacker Capabilities
Modify malware detection settings, disable monitoring, or cause the protection system to become unavailable.
Potential impact on your site
04Site Impact
Malware protection can be disabled or degraded by any authenticated user, leaving the system vulnerable to malware infections.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the system running Malcure Malware Shield.
Key dates
06Disclosure timeline
July 16, 2025
CVE published
April 8, 2026
Record updated