CVE-2025-13391
Awaiting Analysis
Awaiting Analysis - Queue
Unauthorized File Deletion in WooCommerce Uni CPO via Missing Capability Check
Vulnerability report for CVE-2025-13391, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-02-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
The Product Options and Price Calculation Formulas for WooCommerce β Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| moomoo_agency | uni_cpo | to 4.9.60 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |