CVE-2025-9048: 
WordPress vulnerability analysis and mitigation

CVE-2025-9048 affects the Wptobe-memberships plugin for WordPress, discovered and disclosed in August 2025. The vulnerability exists in versions up to and including 3.4.2, specifically in the del_img_ajax_call() function. This security issue allows authenticated attackers with Subscriber-level access or higher to perform arbitrary file deletion on the server (Wordfence).

The vulnerability stems from insufficient file path validation in the del_img_ajax_call() function within the bwlms-fields.php file. The function accepts user input through $_POST['img'] parameter without proper validation and directly passes it to the PHP unlink() function, which is used for file deletion. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on integrity and availability (NVD).

The vulnerability can lead to arbitrary file deletion on the server, which could result in severe consequences. Most critically, attackers could potentially delete crucial system files such as wp-config.php, which could lead to remote code execution or complete site disruption. The ability to delete arbitrary files poses a significant threat to the integrity and availability of the WordPress installation (Wordfence).

Users should immediately update the Wptobe-memberships plugin to a version newer than 3.4.2 when available. Until an update is released, it is recommended to either disable the plugin or restrict access to the WordPress user registration feature to prevent new users from obtaining the required subscriber access (NVD).