A critical vulnerability has been discovered in The Madara - Core plugin for WordPress, assigned CVE-2025-7712. This flaw allows an authenticated attacker to delete arbitrary files from the underlying server, including critical website configuration and system files. Successful exploitation can lead to a complete denial of service, data loss, or a full compromise of the website.

The vulnerability exists within the wp_manga_delete_zip() function, which is responsible for deleting files. The function fails to properly validate the file path provided in a user request. An authenticated attacker, even with low privileges, can exploit this by crafting a request with path traversal sequences (e.g., ../) to target and delete files outside of the intended directory. Deleting critical files such as wp-config.php could disable the website and allow an attacker to re-run the installation process, leading to a complete site takeover.

This vulnerability is rated as critical severity with a CVSS score of 9.1. The business impact of exploitation is severe and can include:

• Denial of Service (DoS): Deletion of core WordPress files, web server configurations (.htaccess), or PHP files will render the website completely inaccessible, leading to operational downtime and reputational damage.
• Data Loss: An attacker could delete uploaded media, database backups, or other sensitive files stored on the server, resulting in permanent data loss.
• Complete Site Compromise: By deleting the wp-config.php file, an attacker can trigger the WordPress installation process, connect the site to a database under their control, and gain full administrative access to the website.

Immediate Action:

• Immediately update The Madara - Core plugin to the latest patched version as recommended by the vendor.
• After updating, review server logs (web server access logs, error logs) for any unusual activity or requests targeting the wp_manga_delete_zip() function that may indicate past or ongoing exploitation attempts.

Proactive Monitoring:

• Implement log monitoring to specifically look for POST requests to WordPress admin endpoints that contain path traversal patterns like ../ or absolute file paths.
• Utilize a File Integrity Monitoring (FIM) solution to generate alerts for any unauthorized changes or deletions of critical files, including wp-config.php, .htaccess, and core WordPress PHP files.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to block path traversal attack patterns.
• Harden file system permissions to prevent the web server's user account from writing to or deleting files outside of its designated directories (e.g., wp-content/uploads).
• Restrict access to the WordPress administrative dashboard to trusted IP addresses only.

Public Exploit Available: False

Immediate action is required. Given the critical CVSS score of 9.1 and the high potential for a complete site compromise, we strongly recommend that all organizations using The Madara - Core plugin prioritize the deployment of the vendor-supplied patch immediately. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) list, its severity makes it a likely target for opportunistic attackers. The recommended remediation and monitoring steps should be implemented without delay to mitigate the risk of a security breach.