A high-severity vulnerability has been identified in the Malcure Malware Scanner plugin for WordPress. This flaw allows a low-privileged attacker to delete arbitrary files from the web server, potentially leading to a complete website outage, data loss, or a full compromise of the site. Organizations using this plugin are at significant risk of operational disruption and should take immediate action to mitigate this threat.

The vulnerability exists within the wpmr_delete_file() function of the plugin. This function is responsible for file deletion but fails to perform a "capability check," which is a standard WordPress security measure to verify if the user making the request has the necessary permissions (e.g., administrator rights). Consequently, any authenticated user, regardless of their privilege level (such as a subscriber), can craft a specific request to this function and force the server to delete any file that the web server process has write permissions for. This could include critical configuration files like wp-config.php, core WordPress files, or other plugin/theme files, effectively causing a denial of service or paving the way for further attacks.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could have a severe business impact, including a complete denial of service if core application files are deleted, rendering the website inaccessible to customers and employees. The deletion of sensitive configuration files could expose database credentials or lead to a site reset, resulting in data loss. The reputational damage from a defaced or offline website can be significant, eroding customer trust and potentially impacting revenue. The cost of incident response, forensic analysis, and website restoration from backups could also be substantial.

Immediate Action: Immediately update the "Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal" plugin to the latest patched version (greater than 16). If this plugin is not critical to your operations, the recommended course of action is to deactivate and completely remove it from your WordPress installation to eliminate the attack surface.

Proactive Monitoring: Monitor web server and application logs for suspicious POST requests targeting WordPress's admin-ajax.php that may be calling the vulnerable wpmr_delete_file() function. Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized changes or deletions to core WordPress files, themes, and plugins.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with a custom rule to block requests attempting to access the vulnerable wpmr_delete_file() function. Restrict access to the WordPress login and admin areas (/wp-login.php and /wp-admin/) to trusted IP addresses. Disable user registration on the website if it is not required for business operations to limit the number of potential low-privileged accounts.

Public Exploit Available: false

Given the high severity (CVSS 8.1) and the potential for complete site compromise, we strongly recommend immediate action. Although this vulnerability is not currently listed on the CISA KEV list, its impact is critical. All organizations using the affected Malcure Malware Scanner plugin must prioritize updating it to the latest version immediately. If the plugin is not in use, it should be uninstalled as a critical security hygiene measure.