Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 16.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read

July 18, 2025 invoker category_cve

CVE Details

Basic Information

Title Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 16.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read
Type cve
Published 2025-07-18T06:45:32.423Z
Modified 2025-07-18T06:45:32.423Z

Product Information

Vendor malcure
Product Malcure Malware Scanner — #1 Toolset for Malware Removal
Version *

CVSS Information

Base Score 6.5 (MEDIUM)
Attack Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Analysis

AI Description The Malcure Malware Scanner WordPress plugin is vulnerable to Arbitrary File Read, allowing authenticated attackers with subscriber access or higher to read arbitrary files on the server, potentially exposing sensitive information.
AI Severity Medium
AI Vendor WordPress Community
AI Product Malcure Malware Scanner
AI Version 16.8

Affected Products

  • malcure Malcure Malware Scanner — #1 Toolset for Malware Removal *

Additional Information

CWE List CWE-862
Source Wordfence

Description

The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 16.8 via the wpmr_inspect_file() function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.