CVE-2025-7778: 
WordPress vulnerability analysis and mitigation

The Icons Factory plugin for WordPress contains a critical vulnerability (CVE-2025-7778) discovered on August 15, 2025. The vulnerability affects all versions up to and including 1.6.12, and has been classified with a CVSS v3.1 base score of 9.8 (Critical). The plugin has been temporarily closed pending a full security review (WordPress Plugin, NVD Database).

The vulnerability is classified as an Arbitrary File Deletion issue (CWE-285) due to insufficient authorization and improper path validation within the delete_files() function. The vulnerability has received a CVSS v3.1 score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to delete arbitrary files on the server. This can lead to remote code execution when critical files such as wp-config.php are deleted, potentially compromising the entire WordPress installation (NVD Database).

The plugin has been temporarily closed and removed from the WordPress plugin repository as of August 14, 2025, pending a full security review. Users are advised to immediately remove the plugin from their WordPress installations until a patched version is released (WordPress Plugin).