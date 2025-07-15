Wordfence published an advisory on the WordPress Malcure Malware Scanner plugin, which was discovered to have a vulnerability rated at a severity level of 8.1. At the time of publishing, there is no patch to fix the problem.

Malcure Malware Scanner Vulnerability

The Malcure Malware Scanner plugin, installed on over 10,000 WordPress websites, is vulnerable to “Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function” by authenticated attackers. The fact that an attacker needs authentication as a user makes it a little less likely for it to be exploited, however not by much because it only requires subscriber level authentication, which is the lowest level of authentication. The “subscriber” role is the default level of registration on a WordPress website (if registration is allowed).

According to Wordfence:

“This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site.”

There is no known patch available for the plugin and users are cautioned to take necessary actions such as uninstalling the plugin to mitigate risk.

The plugin is currently unavailable for download with a notice showing that it is under review.

