Description
The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 16.8 via the wpmr_inspect_file() function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-07-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Fix
AI Analysis

Impact

The Malcure Malware Shield plugin for WordPress contains a missing capability check in its wpmr_inspect_file() function. This flaw allows any authenticated user who holds at least subscriber-level permissions to request the contents of any file located on the server through the plugin’s interface. The vulnerability can expose sensitive configuration files, credentials, or other confidential data, compromising the confidentiality of the site and potentially the integrity of the host environment.

Affected Systems

Any WordPress site that has the Malcure Malware Shield plugin installed at version 16.8 or earlier is vulnerable. The issue exists across all WordPress core versions and does not depend on site configuration beyond the presence of the affected plugin.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Attackers need only authenticated subscriber or higher privileges, which are common in logged‑in users, to trigger the file read. Once the attacker can supply an arbitrary file path via the vulnerable function, the plugin returns the file contents, potentially leaking sensitive information.

Generated by OpenCVE AI on April 22, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or update for Malcure Malware Shield as soon as it becomes available.
  • Limit the scope of the plugin’s inspect function by configuring file path restrictions or setting the plugin to operate only within trusted directories.
  • Monitor WordPress logs for unusual file‑inspection activity and review user permissions to ensure only trusted users maintain subscriber or higher roles.

Generated by OpenCVE AI on April 22, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21858 The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 16.8 via the wpmr_inspect_file() function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
History

Fri, 18 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 18 Jul 2025 07:00:00 +0000

Type Values Removed Values Added
Description The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 16.8 via the wpmr_inspect_file() function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 16.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:41.763Z

Reserved: 2025-07-17T17:27:25.125Z

Link: CVE-2025-7772

cve-icon Vulnrichment

Updated: 2025-07-18T13:59:06.168Z

cve-icon NVD

Status : Deferred

Published: 2025-07-18T07:15:28.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses