CVE-2025-8213

The NinjaScanner – Virus & Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions in all versions up to, and including, 3.2.5. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, including files outside the WordPress root directory.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/ninjascanner/trunk/lib/ajax_hooks.php#L331
https://plugins.trac.wordpress.org/browser/ninjascanner/trunk/lib/tab_quarantine.php#L114
https://plugins.trac.wordpress.org/changeset/3336569/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6b1da345-ddbb-48ad-b0c1-bb0cb3b0fc69?source=cve

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) El complemento NinjaScanner – Virus & Malware scan para WordPress es vulnerable a la eliminación arbitraria de archivos debido a una validación insuficiente de la ruta de archivo en las funciones 'nscan_ajax_quarantine' y 'nscan_quarantine_select' en todas las versiones hasta la 3.2.5 incluida. Esto permite que atacantes autenticados, con acceso de administrador o superior, eliminen archivos arbitrarios del servidor, incluso fuera del directorio raíz de WordPress.

31 Jul 2025, 13:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-31 13:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-8213

Mitre link : CVE-2025-8213

CVE.ORG link : CVE-2025-8213

JSON object : View

Products Affected

No product.

CWE

CWE-36

Absolute Path Traversal

7.2 /10