Platform
wordpress
Component
wc-purchase-orders
Fixed in
1.0.3
CVE-2025-5391 is an arbitrary file access vulnerability discovered in the Purchase Orders for WooCommerce plugin for WordPress. This flaw allows authenticated attackers, even those with Subscriber-level access, to delete files on the server. The potential impact is severe, as deleting critical files like wp-config.php can lead to remote code execution, compromising the entire WordPress site. This vulnerability affects versions 1.0.0 through 1.0.2.
The core of the vulnerability lies in the delete_file() function, which lacks proper file path validation. An attacker can craft malicious requests to specify arbitrary file paths, bypassing security checks. Successful deletion of wp-config.php, which contains sensitive database credentials and other configuration details, would grant the attacker complete control over the WordPress installation. This could involve modifying website content, injecting malicious code, stealing user data, or even pivoting to other systems on the network. The ease of exploitation, requiring only Subscriber-level access, significantly broadens the attack surface.
CVE-2025-5391 was publicly disclosed on 2025-08-12. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's simplicity and potential for RCE suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations using the affected plugin should prioritize remediation.
Exploit Status
EPSS
1.42% (80% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade to a patched version of the Purchase Orders for WooCommerce plugin. The vendor has not yet released a fixed version, so temporary workarounds are necessary. Consider restricting file upload permissions to prevent attackers from uploading malicious files that could be targeted for deletion. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests. Regularly monitor server logs for unusual file access or deletion activity. If upgrading is not immediately possible, consider temporarily disabling the plugin.
Actualice el plugin Purchase Orders for WooCommerce a la última versión disponible. Esta actualización aborda la vulnerabilidad de eliminación arbitraria de archivos al mejorar la validación de las rutas de los archivos, previniendo que atacantes con privilegios de suscriptor puedan eliminar archivos sensibles en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-5391 is a vulnerability in the Purchase Orders for WooCommerce plugin allowing authenticated users to delete arbitrary files, potentially leading to remote code execution.
You are affected if you are using Purchase Orders for WooCommerce versions 1.0.0 through 1.0.2. Upgrade as soon as a patch is available.
Upgrade to a patched version of the plugin. Until a patch is released, implement temporary workarounds like restricting file upload permissions and using a WAF.
While no active exploitation has been confirmed, the vulnerability's simplicity suggests a high probability of exploitation.
Check the Purchase Orders for WooCommerce plugin's official website and WordPress plugin repository for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.