The Malcure Malware Scanner – #1 Toolset for WordPress Malware Removal plugin contains an arbitrary file deletion flaw that is exploited through the wpmr_delete_file() function, which lacks a proper capability check. In all releases up to and including 17.0, an authenticated user with at least subscriber-level permissions can delete any file on the WordPress installation. This deletion can compromise system integrity and, because the plugin operates only when advanced mode is enabled, can be used to replace or remove critical files, providing a path to remote code execution. The weakness corresponds to CWE‑862 (Missing Authorization) and directly undermines confidentiality, integrity, and availability.

WordPress sites running the Malcure Malware Shield – the malware removal component – for any version 17.0 or earlier are affected. Sites that have the plugin installed and advanced mode turned on are at risk. The vulnerability applies to users with subscriber or higher roles, as the missing check allows them to invoke the delete function.

With a CVSS base score of 8.1, the issue is classified as high severity. The EPSS score of 2% indicates a low likelihood of widespread exploitation, and the vulnerability is not listed in CISA’s KEV catalog. An attacker must first authenticate with subscriber-level privileges and enable advanced mode. If these prerequisites are met, the attacker can delete arbitrary files, potentially dropping malicious code or modifying configuration files to achieve remote code execution. Sites that have not enabled advanced mode are not directly exploitable, yet the presence of the flaw poses a residual risk if the setting is turned on.