Platform
wordpress
Component
opal-woo-custom-product-variation
Fixed in
1.2.1
CVE-2025-47535 describes an Arbitrary File Access vulnerability within the Opal Woo Custom Product Variation plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions 0.0 through 1.2.0 of the plugin, and a fix is available in version 1.2.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. In the context of a WordPress plugin, this could expose configuration files, database credentials, or even source code. A successful exploit could lead to complete compromise of the WordPress installation and the underlying server. The attacker could potentially gain access to user data, modify website content, or install malicious software. This vulnerability is particularly concerning because it can be exploited without authentication, making it accessible to a wide range of attackers.
CVE-2025-47535 was publicly disclosed on 2025-05-23. There is currently no indication of active exploitation or listing on CISA KEV. Public proof-of-concept code is not yet available, but the path traversal nature of the vulnerability makes it likely that such code will emerge. The vulnerability's ease of exploitation increases the risk of future attacks.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47535 is to immediately upgrade the Opal Woo Custom Product Variation plugin to version 1.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable endpoint. Web Application Firewalls (WAFs) can be configured to block requests containing path traversal sequences (e.g., ../). Monitor WordPress logs for suspicious file access attempts. After upgrading, confirm the fix by attempting to access a file outside the intended directory through the plugin’s interface; access should be denied.
Actualice el plugin Opal Woo Custom Product Variation a la última versión disponible para mitigar la vulnerabilidad de recorrido de ruta. Verifique las actualizaciones disponibles en el repositorio de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad completa del sitio antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47535 is a HIGH severity vulnerability allowing attackers to read files outside the intended directory in the Opal Woo Custom Product Variation plugin. It affects versions 0.0 through 1.2.0.
If you are using Opal Woo Custom Product Variation version 0.0 - 1.2.0 on your WordPress site, you are potentially affected by this vulnerability.
Upgrade the Opal Woo Custom Product Variation plugin to version 1.2.1 or later to resolve this vulnerability. Consider temporary restrictions or WAF rules if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2025-47535, but the vulnerability's nature makes it a potential target.
Please refer to the official Opal Woo Custom Product Variation website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.