Skip to main content
CVE Vulnerability Database

CVE-2025-7643: WordPress Attachment Manager Path Traversal

CVE-2025-7643 is a path traversal vulnerability in WordPress Attachment Manager plugin allowing unauthenticated attackers to delete arbitrary files. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-7643 Overview

The Attachment Manager plugin for WordPress contains a critical arbitrary file deletion vulnerability in all versions up to and including 2.1.2. The vulnerability exists due to insufficient file path validation in the handle_actions() function, which allows unauthenticated attackers to delete arbitrary files on the server. This vulnerability is particularly dangerous because deleting critical WordPress files such as wp-config.php can lead to remote code execution by forcing WordPress into its installation state.

Critical Impact

Unauthenticated attackers can achieve remote code execution by deleting critical WordPress configuration files, potentially leading to complete site compromise.

Affected Products

  • Attachment Manager plugin for WordPress versions ≤ 2.1.2

Discovery Timeline

  • 2025-07-18 - CVE-2025-7643 published to NVD
  • 2025-07-22 - Last updated in NVD database

Technical Details for CVE-2025-7643

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal), allowing attackers to specify file paths outside of intended directories. The handle_actions() function in the Attachment Manager plugin fails to properly sanitize or validate user-supplied file path input before performing file deletion operations. This lack of validation enables malicious actors to traverse the directory structure and target any file accessible by the web server process.

The attack is particularly severe because it requires no authentication, meaning any remote attacker can exploit this vulnerability without credentials. When attackers delete wp-config.php, WordPress enters an unconfigured state and presents the installation wizard, allowing attackers to reconfigure the database connection and inject malicious code.

Root Cause

The root cause of this vulnerability is the absence of proper input validation and path canonicalization in the handle_actions() function. The function directly accepts user-controlled input for file path parameters without:

  • Validating that the target file exists within allowed directories
  • Sanitizing path traversal sequences (e.g., ../)
  • Restricting operations to attachment files only
  • Verifying the requesting user has appropriate permissions

Attack Vector

The vulnerability is exploitable over the network without any authentication requirements. An attacker can craft a malicious request to the vulnerable handle_actions() function endpoint, including path traversal sequences to target files outside the intended attachment directory. The attack flow typically involves:

  1. Identifying a WordPress site running a vulnerable version of Attachment Manager
  2. Crafting a request to the plugin's action handler with a manipulated file path parameter
  3. Using directory traversal sequences to navigate to critical WordPress files
  4. Deleting wp-config.php or other critical files to compromise the installation

For detailed technical analysis, refer to the Wordfence Vulnerability Report.

Detection Methods for CVE-2025-7643

Indicators of Compromise

  • Unexpected deletion of wp-config.php or other critical WordPress core files
  • WordPress installation wizard appearing unexpectedly on established sites
  • Web server logs showing requests to Attachment Manager endpoints with path traversal sequences (../)
  • Missing attachment files or plugin configuration files
  • Unauthorized database configuration changes following a site reinstallation

Detection Strategies

  • Monitor web server access logs for requests containing directory traversal patterns targeting Attachment Manager plugin endpoints
  • Implement file integrity monitoring on critical WordPress files including wp-config.php, .htaccess, and core WordPress files
  • Deploy Web Application Firewall (WAF) rules to detect and block path traversal attempts
  • Review plugin audit logs for unexpected file deletion events

Monitoring Recommendations

  • Configure real-time alerting for any modifications or deletions to wp-config.php
  • Enable WordPress debug logging to capture plugin activity
  • Implement automated backup verification to detect file deletions quickly
  • Monitor for WordPress installation state changes on production sites

How to Mitigate CVE-2025-7643

Immediate Actions Required

  • Immediately update the Attachment Manager plugin to a patched version (above 2.1.2) if available
  • If no patch is available, deactivate and remove the Attachment Manager plugin until a security update is released
  • Implement WAF rules to block path traversal attempts targeting WordPress plugin endpoints
  • Ensure regular automated backups of wp-config.php and critical WordPress files are in place
  • Review web server logs for signs of exploitation attempts

Patch Information

Check the WordPress Plugin Page for the latest security updates. Ensure you are running a version newer than 2.1.2 that addresses this vulnerability. Monitor the Wordfence Vulnerability Report for patch availability and additional mitigation guidance.

Workarounds

  • Deactivate and delete the Attachment Manager plugin until a patched version is available
  • Implement file system permissions to make critical files read-only where possible
  • Configure web server rules to restrict access to plugin directories from external requests
  • Use a WAF with path traversal detection capabilities to block exploitation attempts
bash
# Make wp-config.php immutable (temporary workaround - may affect legitimate updates)
chattr +i /var/www/html/wp-config.php

# Restrict plugin directory access via .htaccess
echo "<Files handle_actions.php>
Order deny,allow
Deny from all
</Files>" >> /var/www/html/wp-content/plugins/attachment-manager/.htaccess

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.