Plattform
wordpress
Komponente
wc-purchase-orders
Behoben in
1.0.3
CVE-2025-5391 is an arbitrary file access vulnerability discovered in the Purchase Orders for WooCommerce plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete files on the server. The potential impact is severe, as deleting critical files like wp-config.php can lead to remote code execution, compromising the entire WordPress site. This vulnerability affects versions 1.0.0 through 1.0.2.
The primary impact of CVE-2025-5391 is the ability for an authenticated attacker to delete files on the server. While seemingly limited to file deletion, the potential for remote code execution is significant. Deleting wp-config.php, for instance, would effectively disable the WordPress site, and depending on the server configuration, could allow an attacker to upload malicious code or gain further access. The attacker requires only Subscriber-level access, a relatively low privilege within a WordPress environment, making a large number of sites potentially vulnerable. This vulnerability shares similarities with other file access vulnerabilities where deletion of critical configuration files can lead to complete system compromise.
CVE-2025-5391 was publicly disclosed on 2025-08-12. Currently, there is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation once a vulnerable system is identified.
WordPress websites utilizing the Purchase Orders for WooCommerce plugin, particularly those running versions 1.0.0 through 1.0.2, are at significant risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Sites with weak password policies or compromised user accounts are also more susceptible to exploitation.
• wordpress / composer / npm:
grep -r "delete_file\(" /var/www/html/wp-content/plugins/purchase-orders-for-woocommerce/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/purchase-orders-for-woocommerce/delete.php?file=/etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'purchase-orders-for-woocommerce'disclosure
Exploit-Status
EPSS
1.42% (80% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-5391 is to upgrade the Purchase Orders for WooCommerce plugin to a patched version as soon as it becomes available. Until a patch is released, consider restricting file permissions on the WordPress installation to limit the impact of a successful attack. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts targeting the plugin's endpoints. Regularly monitor WordPress logs for unusual file access or deletion activity. If upgrading is not immediately possible, consider temporarily disabling the plugin to prevent exploitation.
Actualice el plugin Purchase Orders for WooCommerce a la última versión disponible. Esta actualización aborda la vulnerabilidad de eliminación arbitraria de archivos al mejorar la validación de las rutas de los archivos, previniendo que atacantes con privilegios de suscriptor puedan eliminar archivos sensibles en el servidor.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-5391 is a vulnerability in the Purchase Orders for WooCommerce plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using Purchase Orders for WooCommerce versions 1.0.0 through 1.0.2. Upgrade as soon as a patch is available.
Upgrade to a patched version of the plugin. Until a patch is released, implement temporary workarounds like restricting file upload permissions and using a WAF.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation.
Check the Purchase Orders for WooCommerce plugin's official website and WordPress plugin repository for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.