Attachment Manager ≤2.1.2: CVE-2025-7643 and the Perils of Unauthenticated File Deletion in WordPress

A single HTTP request can bring down your entire WordPress site: that's the real-world impact of CVE-2025-7643, a critical vulnerability in the Attachment Manager plugin. With a CVSS score of 9.1 and the ability for unauthenticated attackers to delete arbitrary files—including wp-config.php—this flaw is a textbook example of how a seemingly minor plugin oversight can lead to catastrophic compromise.

Brief: What is Attachment Manager?

Attachment Manager is a third-party WordPress plugin designed to help site owners manage and organize media attachments. While not among the most popular plugins (with a relatively small install base), it has been used by hundreds of sites to streamline file management. Its limited adoption and maintenance by a small developer team have unfortunately contributed to a history of severe vulnerabilities.

Technical Information

Vulnerability Mechanism

At the heart of CVE-2025-7643 is the handle_actions() function, which processes file operations based on user-supplied parameters. In all versions up to and including 2.1.2, the function fails to validate the file path provided in the file parameter. Critically, it also does not check whether the request is authenticated or authorized.

This means an attacker can send a crafted HTTP request to the vulnerable endpoint, using directory traversal sequences (../) to target files outside the intended directory. For example:

GET /wp-content/plugins/attachment-manager/lib/php/handle_actions.php?action=remove&file=../../../wp-config.php

This request instructs the plugin to delete the site's wp-config.php file, which contains database credentials and is essential for WordPress operation. Deleting this file can:

Render the site inoperable
Allow an attacker to reinitialize WordPress with their own database settings, potentially executing arbitrary code
Facilitate further attacks such as privilege escalation or lateral movement

The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Attack Vectors and Exploitation

No authentication required: Any external actor can exploit the flaw.
Directory traversal: The file parameter is not sanitized, so attackers can specify files anywhere on the server that the web process can access.
Critical file targeting: Deleting files like .htaccess, wp-config.php, or plugin files can lead to denial of service or remote code execution.

Vulnerable Code Pattern

While the exact vulnerable code is not public, the flaw is described as insufficient validation of the file parameter in the handle_actions() function. The pattern is:

$file = $_GET['file'];
@unlink($file);

No checks are performed to restrict $file to a safe directory or to validate the requester's permissions.

Affected Systems and Versions

Product: Attachment Manager plugin for WordPress
Vulnerable Versions: All versions up to and including 2.1.2
Fixed Version: 2.1.3 (users must update to this version or later)
Configuration: Any WordPress site with the vulnerable plugin enabled is at risk, regardless of other security plugins or settings.

Vendor Security History

Attachment Manager has a history of severe vulnerabilities:

2016: Arbitrary file upload vulnerability in v2.1.1, fixed in 2.1.2 (Acunetix, Plugin Vulnerabilities).
2025: Arbitrary file deletion (CVE-2025-7643) in ≤2.1.2, fixed in 2.1.3.

The plugin is not actively maintained by a large vendor, and there is no evidence of a formal security response process. Users should consider migrating to better-supported alternatives.

References

Summary: CVE-2025-7643 is a critical, trivially exploitable flaw in Attachment Manager ≤2.1.2. Immediate patching or removal is required. The plugin's history of severe vulnerabilities and lack of robust vendor support make it unsuitable for production use.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]