CVE-2025-12835
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-12835, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: WPScan

Description

The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-07-06
AI Q&A
2025-12-12
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
woomulti wordpress_plugin 1.7

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WooMulti WordPress plugin up to version 17 does not properly validate a file parameter when deleting files. This flaw allows any authenticated user, including low-privileged users like subscribers, to delete arbitrary files on the server.

Impact Analysis

This vulnerability can allow authenticated users to delete any files on the server, potentially leading to data loss, disruption of website functionality, or compromise of server integrity.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the exploit scenario. Place a test file (e.g., test.php) in the root WordPress directory, then send a crafted POST request to the admin-ajax.php endpoint with parameters specifying the deletion action and a path traversal sequence targeting the test file. For example, using curl: curl -X POST -d 'action=delete_file&file=.../../../test.php' https://yourwordpresssite.com/wp-admin/admin-ajax.php with an authenticated subscriber cookie. If the test file is deleted, the vulnerability exists. [1]

Mitigation Strategies

Since there is currently no known fix for this issue, immediate mitigation steps include restricting subscriber-level user permissions to prevent file deletion actions, monitoring and logging POST requests to admin-ajax.php for suspicious file deletion attempts, and removing or limiting access to the vulnerable WooMulti plugin until a patch is released. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12835. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart