CVE-2025-7778
Icons Factory <= 1.6.12 - Missing Authorization to Unauthenticated Arbitrary File Deletion via delete_files() Function
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
| CWE | CWE-285 |
| Vendor | artkrylov |
| Product | icons factory |
| Published | Aug 15, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for artkrylov icons factory
Be the first to know when new critical vulnerabilities affecting artkrylov icons factory are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
artkrylov / Icons Factory
0 โค 1.6.12
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/24f31bbf-883f-4903-847a-7bfc3e45654c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/icons-factory/tags/1.6.12/icons-factory.php#L1330 wordpress.org: https://wordpress.org/plugins/icons-factory/#developers
Credits
JohSka