Description
The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-08-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion that could lead to remote code execution
Action: Apply Patch
AI Analysis

Impact

The Wptobe-memberships plugin for WordPress contains a flaw in the del_img_ajax_call() function where insufficient file path validation allows users with Subscriber-level access and above to delete any file on the server. This can remove critical configuration files, such as wp-config.php, thereby enabling an attacker to achieve remote code execution. The weakness is identified as CWE‑73.

Affected Systems

All installations of the Wptobe-memberships plugin up to and including version 3.4.2 are affected. The vulnerability is present in any WordPress site that has the plugin installed, regardless of other plugins or themes, as long as the user has at least a Subscriber role and the capability to trigger the delete image AJAX call.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. The EPSS score is below 1%, suggesting that, while the exploitation probability is low, the impact would be severe if exploited. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with Subscriber or higher privileges to trigger the deletion, so the attack vector is local to a logged‑in user’s session. The lack of additional remote access requirements limits quick exploitation but does not eliminate the risk, especially in environments where Subscriber roles are widely granted.

Generated by OpenCVE AI on April 21, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the wptobe-memberships plugin to the latest version available from the vendor, ensuring the file path validation fix has been applied.
  • Restrict the ability of Subscriber-level users to invoke the del_img_ajax_call endpoint, for example by using a role editor to remove that capability or by adding a custom hook to deny the action for non‑administrator users.
  • Deploy a file integrity monitoring solution to detect and alert on unexpected deletions of critical files such as wp‑config.php.

Generated by OpenCVE AI on April 21, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25736 The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 23 Aug 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 23 Aug 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Wptobe-memberships <= 3.4.2 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:47.242Z

Reserved: 2025-08-14T19:33:35.186Z

Link: CVE-2025-9048

cve-icon Vulnrichment

Updated: 2025-08-25T17:31:06.982Z

cve-icon NVD

Status : Deferred

Published: 2025-08-23T05:15:33.827

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses