CVE-2025-2004 Overview
CVE-2025-2004 is an arbitrary file deletion vulnerability in the Simple WP Events plugin for WordPress. The flaw exists in the wpe_delete_file AJAX action and affects all plugin versions up to and including 1.8.17. Insufficient file path validation lets unauthenticated attackers delete arbitrary files on the underlying server. Deleting sensitive files such as wp-config.php can trigger WordPress reinstallation flows and lead to remote code execution. CVE-2025-32509 is a duplicate of this issue.
Critical Impact
Unauthenticated attackers can delete arbitrary server files via an exposed AJAX endpoint, escalating to remote code execution when wp-config.php is removed.
Affected Products
- Simple WP Events plugin for WordPress, all versions through 1.8.17
- WordPress sites with the plugin installed and activated
- Hosting environments where the web server can write to WordPress core files
Discovery Timeline
- 2025-04-08 - CVE-2025-2004 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2004
Vulnerability Analysis
The vulnerability is classified under [CWE-73] External Control of File Name or Path. The Simple WP Events plugin registers the wpe_delete_file AJAX action without enforcing authentication, capability checks, or proper path validation. An attacker sends a crafted POST request to wp-admin/admin-ajax.php with the target file path as a parameter. The plugin passes that user-supplied path directly to a file deletion routine.
Deleting wp-config.php is the typical escalation path. When WordPress loads without a configuration file, it serves the installation wizard, allowing an attacker to point the site at an attacker-controlled database. From that position, the attacker can create an administrator account and upload a malicious plugin or theme, achieving code execution on the host.
Root Cause
The root cause is missing authorization and missing path sanitization in the AJAX handler defined in admin/includes/wp-events-export-events.php. The handler is registered for both privileged and unprivileged users, and it accepts a relative or absolute file path from the request body. No nonce verification, capability check, or path containment to the plugin's working directory is applied before calling the delete operation.
Attack Vector
Exploitation is network-based and requires no authentication or user interaction. An attacker issues an HTTP POST request to the plugin's AJAX endpoint with a file parameter pointing to a target such as ../../../wp-config.php. The server processes the request and removes the specified file. See the WordPress Plugin Code Review and the WordPress Plugin Changeset Log for the vulnerable code and the corresponding fix.
Detection Methods for CVE-2025-2004
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=wpe_delete_file from unauthenticated sessions
- Unexpected absence of wp-config.php or other WordPress core files, followed by the install wizard appearing at the site root
- Newly created administrator accounts and unfamiliar plugin or theme uploads following plugin AJAX traffic
- Web server file deletion events on PHP files outside the Simple WP Events plugin directory
Detection Strategies
- Inspect web server access logs for admin-ajax.php requests carrying the wpe_delete_file action parameter, especially without an authenticated wordpress_logged_in_* cookie
- Compare file integrity baselines for WordPress core and plugin directories to identify unauthorized deletions
- Alert on HTTP responses where wp-config.php is missing and the installer (/wp-admin/install.php) is served on a previously configured site
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform and create rules for the wpe_delete_file action string
- Monitor filesystem audit events on the WordPress document root for deletions of wp-config.php, .htaccess, and index.php
- Track administrator account creation and plugin installation events outside of approved change windows
How to Mitigate CVE-2025-2004
Immediate Actions Required
- Update the Simple WP Events plugin to a version newer than 1.8.17 that includes the fix referenced in the plugin changeset
- If an immediate update is not possible, deactivate and remove the plugin from all WordPress installations
- Restore any deleted files from backups and verify the integrity of wp-config.php and core WordPress files
- Audit administrator accounts and installed plugins for unauthorized changes
Patch Information
The vendor fixed the issue in the changeset referenced in the WordPress Plugin Changeset Log. Details and affected version ranges are documented in the Wordfence Vulnerability Report. Administrators should install the patched release on every site running Simple WP Events.
Workarounds
- Block requests to admin-ajax.php with action=wpe_delete_file at the web application firewall until patching is complete
- Restrict filesystem permissions so the web server user cannot delete wp-config.php or other core files
- Disable the plugin entirely on sites that do not require event export functionality
# Example WAF rule (ModSecurity) to block exploitation attempts
SecRule REQUEST_URI "@endsWith /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1002004,msg:'Block CVE-2025-2004 wpe_delete_file abuse'"
SecRule ARGS:action "@streq wpe_delete_file" "t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
