{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9518", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-26T23:18:49.599Z", "datePublished": "2025-09-04T04:23:47.557Z", "dateUpdated": "2026-04-08T16:37:17.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:17.206Z"}, "affected": [{"vendor": "docjojo", "product": "atec Debug", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170cd2e3-e31b-452e-8c15-d44a8be7757b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L320"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-36 Absolute Path Traversal", "cweId": "CWE-36", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-08-27T19:44:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-04T17:19:52.695278Z", "id": "CVE-2025-9518", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T17:20:07.540Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-04T17:19:52.695278Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T17:19:59.625Z"}}], "cna": {"title": "atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "docjojo", "product": "atec Debug", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-27T19:44:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-03T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170cd2e3-e31b-452e-8c15-d44a8be7757b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L320"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:17.206Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9518", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:17.206Z", "dateReserved": "2025-08-26T23:18:49.599Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-04T04:23:47.557Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "id": "CVE-2025-9518", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-04T10:42:35.410", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L320"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/170cd2e3-e31b-452e-8c15-d44a8be7757b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-36"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T22:17:00.040923+00:00", "value": {"mitigation_remediation": ["Upgrade the atec Debug plugin to the latest available version, assuming a fixed version has been released.", "Reduce the number of users with Administrator permissions and enforce least privilege so that only trusted accounts can perform configuration changes.", "Deploy file integrity monitoring or a comprehensive site security solution to alert on unexpected file deletions and detect potential abuse of the debug functionality.", "If the debug feature is not required, disable or delete the atec Debug plugin entirely to remove the attack surface."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution via File Deletion"}, "threat_synthesis": {"affected_systems": "WordPress installations running the atec Debug plugin from the vendor docjojo:atec Debug, in any version up to and including 1.2.22. The vulnerability applies only to users with Administrator-level permissions or higher.", "description_and_impact": "The atec Debug WordPress plugin fails to validate the value of the 'debug_path' parameter, allowing administrators or higher privileged users to specify any filesystem path. An attacker who can authenticate with an Administrator account can therefore send a request that causes the plugin to delete arbitrary files on the server. If critical files such as wp-config.php are removed, the attacker can assume full control over the site, enabling remote code execution and complete compromise. The weakness stems from insufficient input validation and results in a direct loss of confidentiality, integrity, and availability of the site's files.", "risk_and_exploitability": "The vulnerability is scored with a CVSS of 7.2, indicating a high severity or moderate risk depending on context, and an EPSS of 2%, implying a low likelihood of exploitation. The issue is not currently catalogued in CISA\u2019s KEV list. Exploitation requires attacker access to an account with administrator privileges; once such access is obtained by credential compromise or social engineering, the attack vector is straightforward: a crafted request containing an arbitrary path can delete critical files. The resulting loss of key configuration files can evolve into a full remote code execution scenario."}}}}, "created": "2025-09-04T13:12:12.071416+00:00", "updated": "2026-04-22T22:30:28.823902+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}