How ZeroPath Works
Back to Blog

Icons Factory WordPress Plugin CVE-2025-7778 Arbitrary File Deletion: Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-7778, a critical arbitrary file deletion vulnerability affecting all versions up to and including 1.6.12 of the Icons Factory plugin for WordPress. The flaw allows unauthenticated attackers to delete arbitrary files on the server due to insufficient authorization and improper path validation in the delete_files() function.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-15

Icons Factory WordPress Plugin CVE-2025-7778 Arbitrary File Deletion: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Deleting the wrong file on a WordPress server can instantly hand over control of an entire site to an attacker. CVE-2025-7778 makes this risk a reality for any site running the Icons Factory plugin up to and including version 1.6.12, where unauthenticated users can delete arbitrary files on the server due to critical flaws in the plugin's file management logic.

Icons Factory is a WordPress plugin that provides icon management features for site administrators and designers. While not among the most widely used WordPress plugins, it fills a niche for users seeking streamlined icon integration. Like many plugins in the WordPress ecosystem, it is developed and maintained by a small team, which can sometimes lead to gaps in security practices.

Technical Information

CVE-2025-7778 is caused by two main issues in the delete_files() function of the Icons Factory plugin:

  • Insufficient authorization: The function does not check if the user making the request is authorized to delete files. This means any unauthenticated user can trigger file deletions.
  • Improper path validation: The function does not properly sanitize or restrict the file paths provided by the user. Attackers can use directory traversal sequences (such as ../) to target files outside the intended directory.

The vulnerable code is found in the main plugin file at line 1330 (reference). While the exact code is not reproduced here, public sources confirm that the function processes user-supplied file paths without adequate checks. This allows an attacker to craft a request that specifies any file path accessible to the web server process, including critical files like wp-config.php.

The most severe impact occurs when an attacker deletes wp-config.php. This file contains WordPress configuration and database credentials. When deleted, WordPress initiates its installation routine, allowing the attacker to create a new administrator account and take full control of the site.

Affected Systems and Versions

  • Product: Icons Factory WordPress plugin
  • Affected versions: All versions up to and including 1.6.12
  • Vulnerable configuration: Any WordPress site with the plugin installed and active at these versions

Vendor Security History

There is no public record of previous vulnerabilities in Icons Factory. However, arbitrary file deletion flaws have been reported in other WordPress plugins, indicating a recurring issue in the ecosystem. The vendor's response time or patching history for this plugin is not documented in public sources.

References

Detect & fix
what others miss

Get startedBook a demo