A critical vulnerability identified as CVE-2025-6043 has been uncovered in the Malcure Malware Scanner plugin for WordPress, affecting over 10,000 websites. This flaw, rated 8.1 on the CVSS scale, was disclosed on July 15, 2025, and remains unpatched. It affects plugin versions up to 16.8, enabling even low-level users, such as subscribers, to delete files on the server without proper authorization checks. This could lead to severe consequences, including remote code execution, particularly if advanced mode is activated.
The vulnerability is alarming since the subscriber role is commonly the default for registered users on many WordPress sites. The flaw, categorized as network-based with low complexity and privilege requirements, does not require any user interaction, making it easier for attackers to exploit.
Despite the plugin’s reputation as a leading tool for malware removal, its inadequate access control poses significant risks. With no patch available, Wordfence recommends disabling or uninstalling the plugin, especially on sites with user registration, to prevent potential exploitation.
Security experts advise site owners to assess their risk tolerance and take proactive steps, such as monitoring user activity and disabling unnecessary registrations. The vulnerability’s impact is heightened with advanced plugin configurations, which could lead to site corruption or further exploitation.
WordPress administrators should stay informed of the latest threats and plugin updates. Until a secure version is released, using the Malcure Malware Scanner in production environments is risky. This incident underscores the need for regular plugin audits and strict user role privileges to safeguard websites.
