Arbitrary File Deletion Vulnerability in Vikinger Theme by WordPress
CVE-2025-4946

8.1HIGH

Key Information:

Vendor: WordPress
Status: Vikinger
Vendor: CVE Published:; 2 July 2025

What is CVE-2025-4946?

The Vikinger theme for WordPress contains a security flaw allowing authenticated users with Subscriber access or higher to perform arbitrary file deletions. This vulnerability arises from insufficient validation in the vikinger_delete_activity_media_ajax() function, applicable to all versions up to and including 1.9.32. If exploited, it may enable attackers to delete critical files on the server, such as wp-config.php, increasing the risk of remote code execution. To mitigate this vulnerability, ensure the Vikinger Media plugin is properly managed and updated.

Affected Version(s)

Vikinger * <= 1.9.32

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/vikinger-buddypress-and-gami...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2025
Vulnerability Reserved
May 19, 2025

Credit

Friderika Baranyai