Description
The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-09-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hack Repair Guy's Plugin Archiver plugin contains insufficient file path validation in its prepare_items function, allowing authenticated administrators to delete arbitrary files on the server. Removing critical files such as wp-config.php can lead to remote code execution if the attacker deletes and replaces sensitive server files. This flaw is identified as CWE‑22, a path traversal or path manipulation weakness.

Affected Systems

WordPress sites using The Hack Repair Guy's Plugin Archiver plugin, versions up to and including 2.0.4. The vulnerability affects all installations of the plugin regardless of configuration, as the path validation issue is in the core of the prepare_items routine.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and an EPSS score of < 1% indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must have authenticated administrator access, which is inferred from the description. Once authenticated, an attacker can craft a request to the prepare_items endpoint with a malicious file path to delete specific server files, potentially enabling remote code execution when critical files are removed.

Generated by OpenCVE AI on June 18, 2026 at 02:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update The Hack Repair Guy's Plugin Archiver to a version newer than 2.0.4
  • Disable the plugin if an update is not available until a patch is released
  • Restrict administrator access to trusted users only, and monitor file modifications in critical directories

Generated by OpenCVE AI on June 18, 2026 at 02:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29086 The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Mon, 15 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Sep 2025 21:30:00 +0000

Type Values Removed Values Added
Description The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title The Hack Repair Guy's Plugin Archiver <= 2.0.4 - Authenticated (Administrator+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:46.364Z

Reserved: 2025-09-09T14:22:13.736Z

Link: CVE-2025-10176

cve-icon Vulnrichment

Updated: 2025-09-15T14:44:32.907Z

cve-icon NVD

Status : Deferred

Published: 2025-09-12T22:15:32.507

Modified: 2026-06-17T08:27:49.607

Link: CVE-2025-10176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:45:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')