A high-severity arbitrary file deletion vulnerability in the Vikinger theme for WordPress allows authenticated attackers to delete critical system files, potentially leading to a complete denial of service or system compromise.

The vulnerability exists due to insufficient file path validation within the vikinger_delete_activity_media_ajax() function. An authenticated attacker can exploit this flaw to delete arbitrary files on the server's filesystem, including critical application or operating system files.

A successful exploit of this vulnerability could lead to a complete denial of service by deleting critical WordPress core files or server configuration files. This results in significant operational downtime, potential data loss, and reputational damage. The CVSS score of 8.1 reflects the high severity of this threat, as it can be used to render the entire web application and potentially the underlying server inoperable.

Immediate Action: Administrators should immediately check the vendor's advisory for a patched version of the Vikinger theme and apply the update. If a patch is not yet available, consider the compensating controls below as a critical temporary measure.

Proactive Monitoring: Monitor server file integrity and review web server access logs for suspicious requests targeting the AJAX endpoint associated with the vikinger_delete_activity_media_ajax function.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block or log requests that attempt to exploit this file path traversal vulnerability. If the theme is not essential, disabling or removing it will mitigate the risk.

Public Exploit Available: false

Given the high-impact nature of arbitrary file deletion, this vulnerability poses a severe risk to the availability and integrity of the affected WordPress site. We strongly recommend that administrators prioritize checking for and applying the vendor-supplied patch immediately. If an update is unavailable, disabling the theme is the most effective mitigation strategy to prevent potential system compromise.