4 matches found
CVE-2025-3520
The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the...
CVE-2025-3520
creationtimestamp| type| source ---|---|--- 2025-04-18 01:58:03+00:00| published-proof-of-concept| https://t.me/DarkWebInformerCVEAlerts/12379 2025-04-18 02:48:24+00:00| seen| https://mastodon.social/users/CyberSignaler/statuses/114356682976579069 2025-04-18 04:00:19+00:00| seen|...
CVE-2025-3520
CVE-2025-3520 affects the WordPress Avatar plugin (versions ≤ 0.1.4). The root cause is insufficient file path validation in a function, enabling authenticated users with Subscriber+ access to delete arbitrary server files (e.g., wp-config.php), with potential remote code execution. Public entrie...
WordPress Avatar plugin <= 0.1.4 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability
Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by theviper17y in WordPress Plugin Avatar versions = 0.1.4...