CVE-2025-7778 CRITICAL

CVE-2025-7778: Icons Factory <= 1.6.12 - Missing Authorization to Unauthenticated Arbitrary File Deletion via delete_files() Function

Vendor Artkrylov
Product Icons Factory
Weakness CWE-285
Published August 15, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Explanation of Vulnerability in Simple Terms

02Summary

Icons Factory versions 1.6.12 and earlier contain an improper access control vulnerability that allows unauthenticated attackers to read, modify, or delete data on affected sites. The vulnerability requires no user interaction and can be exploited over the network. All confidentiality, integrity, and availability protections are compromised.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data without authentication.

Potential impact on your site

04Site Impact

Attackers can steal sensitive data, alter site content, or take the site offline without needing a user account.

Conditions required to exploit

05Prerequisites

Network access to the affected Icons Factory installation; no authentication required.

Key dates

06Disclosure timeline

August 15, 2025 CVE published
April 8, 2026 Record updated