Arbitrary File Deletion Vulnerability in WooCommerce Purchase Orders Plugin by WordPress
CVE-2025-5391

8.1HIGH

Key Information:

Vendor: WordPress
Status: WooCommerce Purchase Orders
Vendor: CVE Published:; 12 August 2025

What is CVE-2025-5391?

The WooCommerce Purchase Orders plugin for WordPress contains a vulnerability that allows authenticated attackers with Subscriber-level access and above to delete arbitrary files from the server. This vulnerability arises from inadequate validation of file paths within the delete_file() function. As a result, attackers can exploit this flaw to remove critical files from the server, such as the wp-config.php file, potentially leading to remote code execution and compromising the entire site.

Affected Version(s)

WooCommerce Purchase Orders * <= 1.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wc-purchase-or...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 12, 2025
Vulnerability Reserved
May 30, 2025

Credit

Alexander Chikaylo