A critical vulnerability has been identified in The Icons Factory plugin for WordPress, assigned CVE-2025-7778 with a CVSS score of 9.8. This flaw allows a low-privileged or unauthenticated attacker to delete arbitrary files from the server hosting the WordPress site. Successful exploitation could lead to complete website destruction, denial of service, and potential server compromise, posing a severe risk to business operations and data integrity.

The vulnerability exists within the delete_files() function of the plugin. It suffers from two critical security weaknesses: insufficient authorization and improper path validation. The lack of proper authorization checks allows any user, potentially even unauthenticated visitors, to trigger the function. The improper path validation (also known as a path traversal vulnerability) allows an attacker to use directory traversal sequences (e.g., ../../) in the file path parameter to navigate outside the intended plugin directories and target any file on the server that the web server process has permission to delete. An attacker could exploit this to delete critical files such as wp-config.php, .htaccess, or even operating system files, leading to a full compromise or destruction of the website.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for significant damage. Exploitation can directly impact business continuity by causing a complete and potentially unrecoverable denial of service if core application or server files are deleted. The deletion of configuration files could expose sensitive database credentials, leading to a data breach. The business risks include extended website downtime, significant financial costs for incident response and recovery, loss of customer trust, and severe reputational damage.

Immediate Action: Immediately update The Icons Factory plugin for WordPress to the latest version provided by the vendor, which addresses this vulnerability. After updating, verify that the website is functioning correctly. If the plugin is not essential, consider disabling and deleting it until it can be safely patched.

Proactive Monitoring: Monitor web server and WAF (Web Application Firewall) logs for any requests attempting to exploit this vulnerability. Specifically, look for requests targeting the plugin's administrative functions that contain path traversal payloads (e.g., ../, %2e%2e/, etc.). Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized changes or deletions of critical WordPress core files, such as wp-config.php.

Compensating Controls: If patching is not immediately possible, implement a WAF rule to block requests containing directory traversal sequences targeting the plugin's endpoints. As a temporary measure, consider disabling the plugin entirely to remove the attack vector. Ensure server file permissions are hardened, restricting the web server user's ability to write or delete files outside of necessary directories.

Public Exploit Available: false

Given the critical severity of this vulnerability, we recommend immediate and urgent action. The primary remediation is to apply the vendor-supplied patch to all affected WordPress instances without delay. Due to the high risk of complete site compromise, this vulnerability should be treated as a top priority for your security and IT teams. Although not currently listed on the CISA KEV catalog, its critical nature makes it a likely candidate for future inclusion, and organizations should operate under the assumption that it will be actively exploited.