CVE-2025-7643 - Vulnerability Details

- Attachment Manager <= 2.1.2 - Unauthenticated Arbitrary File Deletion

Description

The Attachment Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the handle_actions() function in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Published: 2025-07-18

Score: 9.1 Critical

EPSS: 9.4% Low

KEV: No

Impact:

Action:

Analysis

Impact

The Attachment Manager plugin for WordPress allows an unauthenticated attacker to delete arbitrary files on the server because the handle_actions() function does not properly validate file paths. This weakness can be exploited to remove any file on the filesystem, including critical configuration files such as wp-config.php, thereby enabling remote code execution or severe loss of data integrity and availability. The vulnerability is identified as CWE‑22 (Path Traversal).

Affected Systems

All installations of Aaron Campbell's Attachment Manager plugin version 2.1.2 and earlier are affected, regardless of WordPress version. The vulnerability exists in every plugin instance that includes the handle_actions() routine, meaning any site using a legacy copy of the plugin is at risk.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity and the EPSS score of 9% suggests a non‑negligible likelihood of exploitation in the wild. The vulnerability is not listed in CISA KEV, but the reliability of the attack path—unauthenticated access to a deletion endpoint—means an attacker can upload malicious content or craft a request to delete a target file without requiring authentication or pre‑existing permissions. The exploitation requires only knowledge of the endpoint URL and that the plugin is active, making it readily actionable by automated attackers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aaroncampbell

Attachment Manager

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.1.2

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Attachment Manager plugin to version 2.1.3 or later, which contains proper file path validation in the handle_actions() function.
If an update is unavailable, deactivate or remove the plugin from the WordPress installation to eliminate the deletion endpoint while a permanent fix is applied.
Assess file permissions on critical configuration files (e.g., wp-config.php) and ensure they are not world‑writable; monitor server logs for unexpected file deletions to detect possible exploitation attempts.

Generated by OpenCVE AI on May 14, 2026 at 14:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-21852	The Attachment Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the handle_actions() function in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.09395.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://wordpress.org/plugins/attachment-manager/
https://www.wordfence.com/threat-intel/vulnerabilities/id/5731b971-4408-4c64-809c-e95fba33009e?source=cve

History

Fri, 18 Jul 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 18 Jul 2025 05:30:00 +0000

Type	Values Removed	Values Added
Description		The Attachment Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the handle_actions() function in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title		Attachment Manager <= 2.1.2 - Unauthenticated Arbitrary File Deletion
Weaknesses		CWE-22
References		https://wordpress.org/plugins/attachment-manager/ https://www.wordfence.com/threat-intel/vulnerabilities/id/5731b971-4408-4c64-809c-e95fba33009e?source=cve
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-07-18T05:23:58.312Z

Updated: 2026-04-08T16:54:19.050Z

Reserved: 2025-07-14T15:09:13.446Z

Link: CVE-2025-7643

Vulnrichment

Updated: 2025-07-18T13:14:11.859Z

NVD

Status : Deferred

Published: 2025-07-18T06:15:28.067

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7643

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T15:00:12Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object