Data Loss Risk in WooCommerce Plugin from Uni CPO
CVE-2025-13391

5.8MEDIUM

Key Information:

Vendor: WordPress
Status: Product Options And Price Calculation Formulas For WooCommerce – Uni Cpo (premium)
Vendor: CVE Published:; 11 February 2026

What is CVE-2025-13391?

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO plugin allows unauthorized file deletion due to a missing capability check in the 'uni_cpo_remove_file' function. This vulnerability affects all versions up to and including 4.9.60, enabling unauthenticated attackers to potentially delete files or attachments stored in external locations like Dropbox if they know the file path. While a partial fix was introduced in version 4.9.60, users should ensure they are running the latest version to mitigate risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) * <= 4.9.60

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://builderius.io/cpo/

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Feb 11, 2026
Vulnerability Reserved
Nov 18, 2025

Credit

Stefan Jost

JSON

WordPress

What is CVE-2025-13391?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.