Description
The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVE-2025-32509 is a duplicate of this.
Published: 2025-04-08
Score: 9.1 Critical
EPSS: 1.1% Low
KEV: No
Impact: Remote Code Execution via Arbitrary File Deletion
Action: Immediate Patch
AI Analysis

Impact

The Simple WP Events plugin contains an insufficient file path validation flaw in the wpe_delete_file AJAX action. Unauthenticated callers can request deletion of any file on the hosting server, enabling the attacker to delete critical configuration files such as wp-config.php. Removing such files can readily lead to remote code execution or cause the WordPress installation to become inoperable. This weakness is an example of CWE-73, which is known for uncontrolled file deletion vulnerabilities.

Affected Systems

All WordPress installations running the Simple WP Events plugin version 1.8.17 or earlier are impacted. The vulnerability is specific to the wpminds:Simple WP Events plugin and affects sites that have not upgraded beyond the stated version.

Risk and Exploitability

The vulnerability has a CVSS score of 9.1, indicating a very high risk. The EPSS score of 1% shows that a non‑negligible probability of exploitation exists at this time. While the issue is not listed in CISA KEV, its lack of authentication requirements and the potential to delete critical files make it a serious threat that can be executed via a simple web request. Attackers can download the site’s public files, then issue a crafted AJAX request to delete any file on the server, leading to loss of data or remote code execution.

Generated by OpenCVE AI on April 20, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Simple WP Events plugin to a version newer than 1.8.17.
  • If an immediate update is not possible, block the wpe_delete_file AJAX action by modifying .htaccess or server configuration so that only authenticated users can access it.
  • As a temporary measure, enforce strict file permissions on essential configuration files such as wp-config.php to prevent deletion by the web server.

Generated by OpenCVE AI on April 20, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10089 The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVE-2025-32509 is a duplicate of this.
References

Tue, 08 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 08 Apr 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Simple WP Events <= 1.8.17 - Unauthenticated Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:44.022Z

Reserved: 2025-03-05T21:07:47.358Z

Link: CVE-2025-2004

cve-icon Vulnrichment

Updated: 2025-04-08T14:27:23.914Z

cve-icon NVD

Status : Deferred

Published: 2025-04-08T05:15:39.767

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:30:16Z

Weaknesses