CVE-2025-8213: 
WordPress vulnerability analysis and mitigation

The NinjaScanner – Virus & Malware scan plugin for WordPress (versions up to and including 3.2.5) was identified with CVE-2025-8213. This vulnerability was discovered by Jonas Benjamin Friedli and publicly disclosed on July 30, 2025. The security flaw affects the plugin's file handling functionality and allows authenticated administrators to perform arbitrary file deletions (NVD).

The vulnerability stems from insufficient file path validation in the 'nscanajaxquarantine' and 'nscanquarantineselect' functions. It has been assigned a CVSS v3.1 score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-36 (Absolute Path Traversal) and affects the plugin's file deletion capabilities (Wordfence).

The vulnerability allows authenticated attackers with Administrator-level access to delete arbitrary files on the server, including files located outside the WordPress root directory. This could potentially lead to site disruption and data loss (NVD).

The vulnerability has been patched in version 3.2.6 of the NinjaScanner plugin. The update implements proper validation to ensure that only files flagged as suspicious by the scanner can be moved to the quarantine folder (WordPress Plugin).