CVE-2025-5391
BaseFortify
Publication date: 2025-08-12
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | wc-purchase-orders | 1.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the WooCommerce Purchase Orders plugin for WordPress, specifically in the delete_file() function. Due to insufficient validation of file paths, authenticated users with Subscriber-level access or higher can delete arbitrary files on the server. This means an attacker can specify any file path and cause that file to be deleted. Deleting critical files like wp-config.php can lead to remote code execution, allowing the attacker to run malicious code on the server. [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized deletion of important server files, which can disrupt website functionality or cause data loss. More critically, deleting key files such as wp-config.php can enable remote code execution, allowing attackers to take control of the server, potentially leading to data breaches, defacement, or further exploitation of the system. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious file deletion activities within the WordPress uploads directory, especially under wp-content/uploads/wc-purchase-orders/. Since the vulnerability allows authenticated users with Subscriber-level access and above to delete arbitrary files via the delete_file() AJAX handler, you can look for unusual AJAX requests to the plugin's file deletion endpoint. Additionally, checking server logs for unexpected deletions of critical files like wp-config.php or other important files is recommended. Specific commands could include using web server access logs to grep for AJAX calls related to file deletion, for example: 1. grep 'admin-ajax.php' /path/to/access.log | grep 'delete_file' 2. Monitoring file system changes with tools like inotifywait on Linux to watch for deletions in the uploads directory: inotifywait -m -e delete /path/to/wp-content/uploads/wc-purchase-orders/ 3. Using WordPress security plugins or audit logs to track file deletion events. However, exact command usage depends on your environment and logging setup. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the WooCommerce Purchase Orders plugin to a version later than 1.0.2 where this vulnerability is fixed. 2. Restrict or review user roles and permissions to limit Subscriber-level and above users from performing file deletions if possible. 3. Ensure the wp-content/uploads/wc-purchase-orders/ directory permissions are properly set and monitored. 4. Disable or restrict AJAX actions related to file deletion if you cannot update immediately, possibly by removing or overriding the delete_file() AJAX handler. 5. Monitor server logs and file system for suspicious deletions. 6. Backup critical files such as wp-config.php regularly to enable recovery in case of malicious deletion. These steps help prevent exploitation and reduce impact until a patch is applied. [2]