Description
The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-09-12
Score: 7.2 High
EPSS: 2.3% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Hack Repair Guy's Plugin Archiver 2.0.4 contains insufficient file path validation in its prepare_items function, allowing authenticated administrators to delete arbitrary files on the server. Removing critical files such as wp-config.php can lead to remote code execution, as the attacker gains the ability to delete and replace server files or disrupt core functionality. This flaw is identified as CWE-22, a path traversal or path manipulation weakness.

Affected Systems

WordPress sites using The Hack Repair Guy's Plugin Archiver plugin, versions up to and including 2.0.4. The vulnerability affects all installations of the plugin regardless of configuration, as the path validation issue is in the core of the prepare_items routine.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and an EPSS score of 2% suggests a moderate probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must have authenticated administrator access to the WordPress backend, which is the likely attack vector inferred from the description. Once authenticated, an attacker can craft a request to the prepare_items endpoint with a malicious file path to trigger deletion of critical server files.

Generated by OpenCVE AI on April 21, 2026 at 02:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update The Hack Repair Guy's Plugin Archiver to a version newer than 2.0.4
  • Disable the plugin if an update is not available until a patch is released
  • Restrict administrator access to trusted users only, and monitor file modifications in critical directories

Generated by OpenCVE AI on April 21, 2026 at 02:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-29086 The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Mon, 15 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Sep 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Sep 2025 21:30:00 +0000

Type Values Removed Values Added
Description The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title The Hack Repair Guy's Plugin Archiver <= 2.0.4 - Authenticated (Administrator+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:46.364Z

Reserved: 2025-09-09T14:22:13.736Z

Link: CVE-2025-10176

cve-icon Vulnrichment

Updated: 2025-09-15T14:44:32.907Z

cve-icon NVD

Status : Deferred

Published: 2025-09-12T22:15:32.507

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:00:06Z

Weaknesses