CVE-2025-7640 HIGH

CVE-2025-7640: hiWeb Export Posts <= 0.9.0.0 - Cross-Site Request Forgery to Arbitrary File Deletion

Vendor Den-Media
Product hiWeb Export Posts
Weakness CWE-22 · Path traversal
Published July 24, 2025
Last update April 8, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

The hiWeb Export Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.0.0. This is due to missing or incorrect nonce validation on the tool-dashboard-history.php file. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

hiWeb Export Posts versions up to 0.9.0.0 contain a path traversal vulnerability that allows an attacker to write files outside the intended directory. The vulnerability requires user interaction and network access but does not require authentication. An attacker can modify or create files on the affected system, potentially compromising site integrity and availability.

What an attacker can do

03Attacker Capabilities

Write or overwrite files outside the intended directory on the server.

Potential impact on your site

04Site Impact

Attackers can modify site files, inject malicious code, or disable the site without needing a user account.

Conditions required to exploit

05Prerequisites

Victim must visit a malicious link or page; no login required.

Key dates

06Disclosure timeline

July 24, 2025 CVE published
April 8, 2026 Record updated