{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10176", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-09T14:22:13.736Z", "datePublished": "2025-09-12T21:25:25.732Z", "dateUpdated": "2026-04-08T17:25:46.364Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:46.364Z"}, "affected": [{"vendor": "tvcnet", "product": "The Hack Repair Guy's Plugin Archiver", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "The Hack Repair Guy's Plugin Archiver <= 2.0.4 - Authenticated (Administrator+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d449a285-34f5-41ed-acfd-2a9acfb04271?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/hackrepair-plugin-archiver/tags/2.0.4/includes/list.php#L39"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-08-08T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-09-10T14:25:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-12T09:16:21.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-15T14:44:30.332660Z", "id": "CVE-2025-10176", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-15T15:11:05.349Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10176", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-15T14:44:30.332660Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-15T14:44:32.907Z"}}], "cna": {"title": "The Hack Repair Guy's Plugin Archiver <= 2.0.4 - Authenticated (Administrator+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "tvcnet", "product": "The Hack Repair Guy's Plugin Archiver", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-08T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-09-10T14:25:08.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-12T09:16:21.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d449a285-34f5-41ed-acfd-2a9acfb04271?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/hackrepair-plugin-archiver/tags/2.0.4/includes/list.php#L39"}], "descriptions": [{"lang": "en", "value": "The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:25:46.364Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10176", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:25:46.364Z", "dateReserved": "2025-09-09T14:22:13.736Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-12T21:25:25.732Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "id": "CVE-2025-10176", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-12T22:15:32.507", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/hackrepair-plugin-archiver/tags/2.0.4/includes/list.php#L39"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d449a285-34f5-41ed-acfd-2a9acfb04271?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:56:18.832550+00:00", "value": {"mitigation_remediation": ["Update The Hack Repair Guy's Plugin Archiver to a version newer than 2.0.4", "Disable the plugin if an update is not available until a patch is released", "Restrict administrator access to trusted users only, and monitor file modifications in critical directories"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites using The Hack Repair Guy's Plugin Archiver plugin, versions up to and including 2.0.4. The vulnerability affects all installations of the plugin regardless of configuration, as the path validation issue is in the core of the prepare_items routine.", "description_and_impact": "The Hack Repair Guy's Plugin Archiver 2.0.4 contains insufficient file path validation in its prepare_items function, allowing authenticated administrators to delete arbitrary files on the server. Removing critical files such as wp-config.php can lead to remote code execution, as the attacker gains the ability to delete and replace server files or disrupt core functionality. This flaw is identified as CWE-22, a path traversal or path manipulation weakness.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity, and an EPSS score of 2% suggests a moderate probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must have authenticated administrator access to the WordPress backend, which is the likely attack vector inferred from the description. Once authenticated, an attacker can craft a request to the prepare_items endpoint with a malicious file path to trigger deletion of critical server files."}}}}, "created": "2025-09-15T10:43:41.181433+00:00", "updated": "2026-04-21T03:00:06.380919+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}