CVE-2025-6043 HIGH

CVE-2025-6043: Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 17.0 - Authenticated (Subscriber+) Arbitrary File Deletion

Vendor Malcure
Product Malcure Malware Shield — Removal, Repair, Monitor
Weakness CWE-862 · Missing authorization
Published July 16, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.

Explanation of Vulnerability in Simple Terms

02Summary

Malcure Malware Shield versions 17.0 and earlier lack proper authorization checks, allowing authenticated users to modify or disable critical security functions. An attacker with a low-privilege account can alter malware detection settings, disable monitoring, or trigger denial-of-service conditions. This affects the integrity and availability of the malware protection system itself.

What an attacker can do

03Attacker Capabilities

Modify malware detection settings, disable monitoring, or cause the protection system to become unavailable.

Potential impact on your site

04Site Impact

Malware protection can be disabled or degraded by any authenticated user, leaving the system vulnerable to malware infections.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the system running Malcure Malware Shield.

Key dates

06Disclosure timeline

July 16, 2025 CVE published
April 8, 2026 Record updated