Description
The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active.
Published: 2025-07-02
Score: 8.1 High
EPSS: 2.2% Low
KEV: No
Impact: Arbitrary File Deletion leading to Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Vikinger theme contains an insufficient file path validation flaw in the vikinger_delete_activity_media_ajax() function that allows authenticated users with Subscriber level or higher to delete any file located on the server. An attacker can delete critical files such as wp-config.php, which can immediately lead to remote code execution or complete site compromise. The vulnerability is conditioned on the presence of the Vikinger Media plugin and requires the user to have the appropriate WordPress role.

Affected Systems

Vendors and products affected are Odin Design's Vikinger theme for WordPress. All released versions up to and including 1.9.32 are susceptible. The issue manifests when the theme is used on any WordPress installation that has the Vikinger Media plugin installed and active.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability that can be exploited remotely. The EPSS score of 2% suggests that at present the likelihood of exploitation in the wild is low but non‑negligible. Because the attack requires only a logged‑in user with Subscriber or greater privileges, the barrier to entry is low for site owners. The vulnerability does not appear in the CISA KEV catalog, but if exploited it can result in file deletion, site downtime, and potential remote code execution. Attackers would typically trigger the misconfigured AJAX endpoint to perform the deletion.

Generated by OpenCVE AI on April 22, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Vikinger theme (≥1.9.33) which removes the vulnerable function or adds proper path validation.
  • If an upgrade is not immediately possible, remove or disable the Vikinger Media plugin, or modify the theme to restrict the vikinger_delete_activity_media_ajax() endpoint to administrators only.
  • Re‑configure WordPress file‑system permissions so that the web‑server user cannot delete arbitrary files, and audit uploaded content to ensure no files outside the intended directories remain accessible.

Generated by OpenCVE AI on April 22, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19695 The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active.
History

Wed, 02 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active.
Title Vikinger <= 1.9.32 - Authenticated (Subscriber+) Arbitrary File Deletion via vikinger_delete_activity_media_ajax Function
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:41:48.194Z

Reserved: 2025-05-19T05:22:38.122Z

Link: CVE-2025-4946

cve-icon Vulnrichment

Updated: 2025-07-02T13:06:44.950Z

cve-icon NVD

Status : Deferred

Published: 2025-07-02T10:15:23.227

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:45:19Z

Weaknesses