Description
The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-08-15
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Deletion leading to Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Icons Factory plugin for WordPress contains a flaw where its delete_files() function lacks proper authorization checks and path validation. This permits an unauthenticated user to delete any file on the server by supplying a target path. Removing critical files such as wp-config.php can compromise configuration and enable a malicious actor to take control of the site, resulting in loss of confidentiality, integrity, and availability. The weakness is a classic example of CWE‑285, Unauthorized Access for a Trusted System Component.

Affected Systems

All installations of the Icons Factory plugin by the vendor artkrylov running any version up to and including 1.6.12 are affected. The vulnerability applies to any WordPress site that has this plugin enabled, regardless of user role or site configuration.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity. The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not listed in CISA KEV. Nevertheless, the flaw can be leveraged remotely via HTTP requests to the plugin’s delete endpoint, allowing unauthenticated attackers to delete arbitrary files and potentially execute code. The attack vector is inferred to be remote over the web, exploiting the lack of authentication checks in the plugin’s file deletion routine.

Generated by OpenCVE AI on April 22, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Icons Factory plugin to the latest version that includes an authorization check for delete_files().
  • If an upgrade cannot be performed immediately, deactivate or remove the plugin to eliminate the exploitation pathway.
  • Restrict file system permissions for the plugin’s directories so that the web process cannot delete files, thereby adding a defense‑in‑depth layer for the affected component.

Generated by OpenCVE AI on April 22, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25002 The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Icons Factory <= 1.6.12 - Missing Authorization to Unauthenticated Arbitrary File Deletion via delete_files() Function
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:19.505Z

Reserved: 2025-07-17T22:02:28.623Z

Link: CVE-2025-7778

cve-icon Vulnrichment

Updated: 2025-08-15T16:14:41.852Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T09:15:30.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:30:18Z

Weaknesses