Arbitrary File Deletion Vulnerability in WooCommerce Purchase Orders Plugin by WordPress

CVE-2025-5391

What is CVE-2025-5391?

CVE-2025-5391 is a critical vulnerability identified in the WooCommerce Purchase Orders plugin for WordPress, affecting all versions up to and including 1.0.2. This vulnerability arises from insufficient validation of file paths within the delete_file() function, which allows authenticated users with at least Subscriber-level access to delete arbitrary files on the server. Such deletions could enable an attacker to remove critical files, such as configuration files, which may lead to remote code execution on the affected system. The potential ramifications of this vulnerability are particularly concerning for organizations that rely on this plugin for managing online transactions and order processing.

Potential impact of CVE-2025-5391

1. Remote Code Execution: By exploiting the vulnerability, an attacker could delete critical files, including configuration files, allowing them to execute arbitrary code on the server, which could further compromise the overall system integrity and data security.

2. Data Loss: The ability to delete arbitrary files poses a significant risk of data loss, which can severely impact operational capabilities, leading to lost transactions, customer trust, and potential legal liabilities.

3. Increased Attack Surface: If an attacker gains the ability to execute code remotely, they could potentially escalate privileges, perform lateral movement within the network, and deploy additional malicious payloads, increasing the overall attack surface of the organization.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References