{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9048", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-14T19:33:35.186Z", "datePublished": "2025-08-23T04:25:46.658Z", "dateUpdated": "2026-04-08T16:49:47.242Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:47.242Z"}, "affected": [{"vendor": "wptobe", "product": "Wptobe-memberships", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "Wptobe-memberships <= 3.4.2 - Authenticated (Subscriber+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/466568c5-33a9-4891-b4ad-9bc6052603cb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php#L156"}, {"url": "https://plugins.svn.wordpress.org/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Aril Aprilio"}], "timeline": [{"time": "2025-08-22T15:47:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-25T17:26:17.863401Z", "id": "CVE-2025-9048", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:31:11.349Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9048", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-25T17:26:17.863401Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-25T17:31:06.982Z"}}], "cna": {"title": "Wptobe-memberships <= 3.4.2 - Authenticated (Subscriber+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Aril Aprilio"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "wptobe", "product": "Wptobe-memberships", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-22T15:47:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/466568c5-33a9-4891-b4ad-9bc6052603cb?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php#L156"}, {"url": "https://plugins.svn.wordpress.org/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php"}], "descriptions": [{"lang": "en", "value": "The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-23T04:25:46.658Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9048", "state": "PUBLISHED", "dateUpdated": "2025-08-25T17:31:11.349Z", "dateReserved": "2025-08-14T19:33:35.186Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-23T04:25:46.658Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento Wptobe-memberships para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n del_img_ajax_call() en todas las versiones hasta la 3.4.2 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-9048", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-23T05:15:33.827", "references": [{"source": "security@wordfence.com", "url": "https://plugins.svn.wordpress.org/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wptobe-memberships/trunk/bwlms-fields/bwlms-fields.php#L156"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/466568c5-33a9-4891-b4ad-9bc6052603cb?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:17:30.312239+00:00", "value": {"mitigation_remediation": ["Upgrade the wptobe-memberships plugin to the latest version available from the vendor, ensuring the file path validation fix has been applied.", "Restrict the ability of Subscriber-level users to invoke the del_img_ajax_call endpoint, for example by using a role editor to remove that capability or by adding a custom hook to deny the action for non\u2011administrator users.", "Deploy a file integrity monitoring solution to detect and alert on unexpected deletions of critical files such as wp\u2011config.php."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file deletion that could lead to remote code execution"}, "threat_synthesis": {"affected_systems": "All installations of the Wptobe-memberships plugin up to and including version 3.4.2 are affected. The vulnerability is present in any WordPress site that has the plugin installed, regardless of other plugins or themes, as long as the user has at least a Subscriber role and the capability to trigger the delete image AJAX call.", "description_and_impact": "The Wptobe-memberships plugin for WordPress contains a flaw in the del_img_ajax_call() function where insufficient file path validation allows users with Subscriber-level access and above to delete any file on the server. This can remove critical configuration files, such as wp-config.php, thereby enabling an attacker to achieve remote code execution. The weakness is identified as CWE\u201173.", "risk_and_exploitability": "The CVSS score is 8.1, indicating high severity. The EPSS score is below 1%, suggesting that, while the exploitation probability is low, the impact would be severe if exploited. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with Subscriber or higher privileges to trigger the deletion, so the attack vector is local to a logged\u2011in user\u2019s session. The lack of additional remote access requirements limits quick exploitation but does not eliminate the risk, especially in environments where Subscriber roles are widely granted."}}}}, "created": "2025-08-23T10:54:58.531457+00:00", "updated": "2026-04-21T19:30:06.080524+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}