CVE-2025-7643: 
WordPress vulnerability analysis and mitigation

The Attachment Manager plugin for WordPress contains a critical security vulnerability (CVE-2025-7643) discovered and disclosed on July 18, 2025. The vulnerability affects all versions up to and including 2.1.2 of the plugin. The issue stems from insufficient file path validation in the handle_actions() function, which exposes WordPress installations to potential security breaches (NVD CVE).

The vulnerability is classified as a Path Traversal issue (CWE-22) that allows for arbitrary file deletion due to improper validation of file paths. The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, indicating that it can be exploited remotely without requiring any privileges or user interaction (NVD CVE).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server. This capability is particularly dangerous as it can lead to remote code execution when critical files such as wp-config.php are targeted. The deletion of essential system files could result in website disruption or complete compromise of the WordPress installation (NVD CVE).

The plugin has been permanently closed and is no longer available for download as of July 14, 2025. Users are strongly advised to immediately remove the Attachment Manager plugin from their WordPress installations to prevent potential exploitation (WordPress Plugin).