Description
The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-04-18
Score: 8.1 High
EPSS: 4.9% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Avatar plugin contains an insufficient file path validation that lets an authenticated user delete any file on the server. With Subscriber-level access or higher, an attacker can remove critical files such as wp-config.php, which can quickly lead to remote code execution.

Affected Systems

All installations of the Avatar plugin by wonderboymusic up to version 0.1.4 are affected. Any WordPress site running these plugin versions is vulnerable; the issue originates from the plugin's file deletion function.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity remote exploitation risk, while an EPSS score of 5% indicates a moderate likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV. Attackers need to be authenticated as at least a Subscriber but can perform file deletion from a remote interface, making the attack vector network-based. Once a critical file is removed, code execution could be achieved.

Generated by OpenCVE AI on April 22, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Avatar plugin to the latest version (or remove it if no update is available).
  • Restrict the file deletion capability by revoking Subscriber-level permissions or disabling the feature via plugin settings.
  • Audit the site's file system for missing critical files and enforce strict file permissions to reduce impact.

Generated by OpenCVE AI on April 22, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11807 The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Apr 2025 02:00:00 +0000

Type Values Removed Values Added
Description The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Avatar <= 0.1.4 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:32.045Z

Reserved: 2025-04-11T14:49:59.710Z

Link: CVE-2025-3520

cve-icon Vulnrichment

Updated: 2025-04-18T11:40:19.327Z

cve-icon NVD

Status : Deferred

Published: 2025-04-18T02:15:14.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses