CVE-2025-8213 Information

Aug 01, 2025 cve

Description

The NinjaScanner – Virus & Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ’nscan_ajax_quarantine’ and ’nscan_quarantine_select’ functions in all versions up to and including 3.2.5. This makes it possible for authenticated attackers with Administrator-level access and above to delete arbitrary files on the server including files outside the WordPress root directory.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

https://plugins.trac.wordpress.org/browser/ninjascanner/trunk/lib/ajax_hooks.php#L331 https://plugins.trac.wordpress.org/browser/ninjascanner/trunk/lib/tab_quarantine.php#L114 https://plugins.trac.wordpress.org/changeset/3336569/ https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1da345-ddbb-48ad-b0c1-bb0cb3b0fc69?source=cve

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.2

CNNVD-202507-3893 (Published: 2025-07-31)

Share on:

CVE-2025-8213 Information

Description

CVSS Vector

Reference

Attack Complexity

Privileges Required

User Interaction Required

Scope

Confidentiality Impact

Integrity Impact

Availability Impact

Base Score

Base Severity

Related CNNVD