cleantalk
Vulnerabilities and Security Researches

Wptobe-memberships, CVE-2025-9048

CVE, Research URL

CVE-2025-9048

Home page URL

Security reports for Wptobe-memberships

Application

Wptobe-memberships

Published on
Aug 23, 2025
Research Description
The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affected versions
Min -, max 3.4.2.
Status
vulnerable
Previous vulnerability researches
Recurring PayPal Donations (CVE-2025-57891) , Aug 24, 2025
Recurring PayPal Donations (CVE-2024-35676) , Jun 10, 2024
New vulnerability
Sessions (CVE-2025-57890) , Aug 25, 2025
WP Admin Theme (CVE-2025-48325) , Aug 25, 2025
Site Offline Or Coming Soon Or Maintenance Mode (CVE-2025-48348) , Aug 25, 2025
Ni WooCommerce Customer Product Report (CVE-2025-7827) , Aug 25, 2025
Ogulo – 360° Tour (CVE-2025-9131) , Aug 25, 2025