Platform
wordpress
Component
woosa-ai-for-woocommerce
Fixed in
1.3.1
CVE-2025-14301 is a critical Path Traversal vulnerability discovered in the Integration Opvius AI for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to manipulate file paths, potentially leading to unauthorized file access and deletion. The vulnerability affects versions 0.0.0 through 1.3.0, and a patch is expected to be released by the vendor.
The impact of CVE-2025-14301 is severe. An attacker can leverage the processtablebulk_actions() function to delete or download arbitrary files on the WordPress server. This includes critical system files like wp-config.php, which contains database credentials and other sensitive configuration information. Successful exploitation could lead to complete server compromise, data exfiltration, and denial of service. The lack of authentication checks and proper path validation makes this vulnerability particularly dangerous, as any unauthenticated user can trigger the vulnerability by crafting a malicious POST request.
This vulnerability is considered high risk due to its critical CVSS score and the ease of exploitation. Public proof-of-concept code is likely to emerge quickly, increasing the risk of widespread exploitation. The vulnerability was publicly disclosed on 2026-01-14. Monitor security advisories and vulnerability databases for updates and potential exploitation campaigns.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14301 is to immediately upgrade the Integration Opvius AI for WooCommerce plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to prevent exploitation. As a short-term workaround, implement strict file permissions on the WordPress server to limit the impact of potential file deletion. Review web server access logs for suspicious POST requests containing the wsaw-log[] parameter. After upgrading, verify the integrity of critical WordPress files, such as wp-config.php, to ensure they haven't been tampered with.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14301 is a critical Path Traversal vulnerability affecting versions 0.0.0–1.3.0 of the Integration Opvius AI for WooCommerce plugin, allowing attackers to access or delete files.
If you are using Opvius AI for WooCommerce versions 0.0.0 through 1.3.0, you are potentially affected and should upgrade immediately.
Upgrade to the latest version of the Integration Opvius AI for WooCommerce plugin as soon as a patched version is released. Temporarily disable the plugin if an upgrade is not immediately available.
While active exploitation is not yet confirmed, the vulnerability's critical severity and ease of exploitation suggest it is likely to be targeted soon.
Refer to the Opvius AI website and WordPress plugin repository for official advisories and updates regarding CVE-2025-14301.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.