CVE-2025-9048: WordPress Wptobe-memberships RCE Vulnerability

CVE-2025-9048 Overview

CVE-2025-9048 is an arbitrary file deletion vulnerability in the Wptobe-memberships plugin for WordPress. The flaw resides in the del_img_ajax_call() function, which fails to validate file paths supplied by authenticated users. All plugin versions up to and including 3.4.2 are affected.

Authenticated attackers with Subscriber-level access or higher can delete arbitrary files on the underlying server. Deleting sensitive files such as wp-config.php triggers WordPress reinstallation flows, which attackers can leverage to achieve remote code execution. The issue is tracked under [CWE-73: External Control of File Name or Path].

Critical Impact

A Subscriber account can remove wp-config.php and pivot to full site takeover and remote code execution on the host.

Affected Products

• Wptobe-memberships plugin for WordPress (all versions ≤ 3.4.2)
• WordPress sites running the vulnerable plugin with open registration or any Subscriber-tier accounts
• Hosting environments where the web server process owns WordPress files

Discovery Timeline

• 2025-08-23 - CVE-2025-9048 published to the National Vulnerability Database (NVD)
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9048

Vulnerability Analysis

The Wptobe-memberships plugin exposes the del_img_ajax_call() AJAX handler defined in bwlms-fields/bwlms-fields.php. The handler accepts a user-controlled file path parameter and invokes a file deletion routine without sanitizing or restricting the target path.

Because the AJAX endpoint is reachable through the standard admin-ajax.php entry point and only requires an authenticated session, any user holding the default Subscriber role can call it. The plugin does not verify that the supplied path resides within an expected uploads directory.

File deletion alone qualifies as an integrity and availability impact. However, removing wp-config.php causes WordPress to display the setup wizard on the next request. An attacker can complete the wizard against an attacker-controlled database, gaining administrator access and the ability to upload PHP payloads — converting the primitive into remote code execution.

Root Cause

The root cause is missing path validation [CWE-73]. The del_img_ajax_call() function trusts the file path argument from the client request, performs no canonicalization, no allowlist check against the uploads directory, and no capability check beyond authentication. Traversal sequences such as ../ resolve to files outside the plugin's intended scope.

Attack Vector

Exploitation occurs over the network against admin-ajax.php. The attacker first registers or logs in as a Subscriber. They then issue an authenticated AJAX POST to the vulnerable action with a crafted file path pointing at a sensitive file such as wp-config.php, .htaccess, or plugin security files. The server processes the request and unlinks the target file. No user interaction is required from an administrator.

See the Wordfence Vulnerability Analysis and the WordPress Plugin Source Code for the vulnerable function reference.

Detection Methods for CVE-2025-9048

Indicators of Compromise

• Missing or recently truncated wp-config.php, .htaccess, or index.php files in the WordPress root.
• WordPress setup wizard (/wp-admin/setup-config.php) unexpectedly served to visitors.
• New administrator accounts created shortly after a Subscriber-account session.
• Unexpected PHP files written to wp-content/uploads/ following a setup-wizard event.

Detection Strategies

• Inspect web server access logs for POST requests to admin-ajax.php containing the del_img_ajax_call action, especially with path parameters containing ../ or absolute paths.
• Correlate Subscriber-role authentications with subsequent file deletion events from the PHP-FPM or Apache user.
• Run file integrity monitoring against the WordPress root and plugin directories to flag deletion of core files.

Monitoring Recommendations

• Enable WordPress audit logging for AJAX actions and capability checks.
• Forward web and application logs to a centralized analytics pipeline and alert on deletion of wp-config.php or files outside wp-content/uploads/.
• Track creation of new user accounts and role changes following any 200-response to the del_img_ajax_call endpoint.

How to Mitigate CVE-2025-9048

Immediate Actions Required

• Disable or remove the Wptobe-memberships plugin until a fixed version is published and verified.
• Restrict user registration and audit existing Subscriber-tier accounts for unfamiliar entries.
• Back up wp-config.php and the WordPress root, and store the backup outside the web root.
• Apply web server file permissions that prevent the PHP process from deleting files outside wp-content/uploads/.

Patch Information

No vendor-fixed version is listed in the published advisory at the time of writing. Versions up to and including 3.4.2 remain vulnerable. Monitor the WordPress Plugin Code repository and the Wordfence advisory for an updated release that introduces path validation in del_img_ajax_call().

Workarounds

• Deactivate the plugin from the WordPress admin or remove its directory from wp-content/plugins/.
• Add a web application firewall rule that blocks admin-ajax.php requests with action=del_img_ajax_call or path parameters containing traversal sequences.
• Set the WordPress option to disable open registration (Settings → General → Membership) to reduce the attacker pool.
• Harden file ownership so that wp-config.php is owned by root and read-only to the web server user.

# Example: disable the plugin and lock down wp-config.php
wp plugin deactivate wptobe-memberships
chown root:www-data /var/www/html/wp-config.php
chmod 440 /var/www/html/wp-config.php