Data Loss Risk in WooCommerce Plugin from Uni CPO
CVE-2025-13391

5.8MEDIUM

Key Information:

Vendor: WordPress
Status: Product Options And Price Calculation Formulas For WooCommerce – Uni Cpo (premium)
Vendor: CVE Published:; 11 February 2026

What is CVE-2025-13391?

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO plugin allows unauthorized file deletion due to a missing capability check in the 'uni_cpo_remove_file' function. This vulnerability affects all versions up to and including 4.9.60, enabling unauthenticated attackers to potentially delete files or attachments stored in external locations like Dropbox if they know the file path. While a partial fix was introduced in version 4.9.60, users should ensure they are running the latest version to mitigate risks.

Affected Version(s)

Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) 0 <= 4.9.60

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://moomoo.agency/cpo

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2026
Vulnerability Reserved
Nov 18, 2025

Credit

Stefan Jost

CVE-2025-13391 Data

JSON

WordPress

What is CVE-2025-13391?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit