{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14301", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-08T22:16:03.894Z", "datePublished": "2026-01-14T05:28:05.974Z", "dateUpdated": "2026-04-08T16:45:44.849Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:44.849Z"}, "affected": [{"vendor": "woosaai", "product": "Integration Opvius AI for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files."}], "title": "Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2026-01-13T17:20:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T20:31:13.510310Z", "id": "CVE-2025-14301", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:35:48.151Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14301", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-15T20:31:13.510310Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T20:34:47.564Z"}}], "cna": {"title": "Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "woosaai", "product": "Integration Opvius AI for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T17:20:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79"}, {"url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160"}], "descriptions": [{"lang": "en", "value": "The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:44.849Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14301", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:45:44.849Z", "dateReserved": "2025-12-08T22:16:03.894Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-14T05:28:05.974Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files."}, {"lang": "es", "value": "El plugin Integration Opvius AI para WooCommerce para WordPress es vulnerable a salto de ruta en todas las versiones hasta la 1.3.0, inclusive. Esto se debe a que la funci\u00f3n 'process_table_bulk_actions()' procesa rutas de archivo proporcionadas por el usuario sin comprobaciones de autenticaci\u00f3n, verificaci\u00f3n de nonce o validaci\u00f3n de ruta. Esto permite a atacantes no autenticados eliminar o descargar archivos arbitrarios en el servidor a trav\u00e9s del par\u00e1metro POST 'wsaw-log[]', lo que puede aprovecharse para eliminar archivos cr\u00edticos como 'wp-config.php' o leer archivos de configuraci\u00f3n sensibles."}], "id": "CVE-2025-14301", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-14T06:15:51.977", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L25"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L41"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L79"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:27:13.563475+00:00", "value": {"mitigation_remediation": ["Upgrade the Integration Opvius AI for WooCommerce plugin to the latest available version that removes the insecure file handling (or install a patch from the vendor if released).", "If an update is unavailable, disable or uninstall the plugin to eliminate the attack surface, and remove any remaining plugin files from the server.", "Configure the web application firewall or server configuration to block or whitelist the wsaw-log[] POST parameter, and restrict file access for the plugin to the intended log directory only."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated file deletion or read via path traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress plugin Integration Opvius AI for WooCommerce for all releases up to and including version 1.3.0. No other products or versions are listed as affected.", "description_and_impact": "The Integration Opvius AI for WooCommerce plugin contains a path traversal flaw in the process_table_bulk_actions() function, which accepts arbitrary file paths through the wsaw-log[] POST parameter without authentication, nonce verification, or path validation. An attacker can leverage this to delete or download any file on the web server, including critical files such as wp-config.php, thereby compromising confidentiality and integrity of the site\u2019s configuration and potentially enabling further exploitation.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.8, indicating a very high severity. The EPSS score is reported as less than 1%, suggesting a low likelihood of exploitation in the wild; however, the vulnerability is listed as not being included in the CISA KEV catalog. Attackers can exploit the flaw over the network via an unauthenticated HTTP POST request containing the wsaw-log[] parameter, making the attack vector trivial for any user with network access to the site. If successful, attackers could delete essential configuration files or read sensitive data, potentially leading to a full compromise of the WordPress installation."}}}}, "created": "2026-01-14T10:48:35.295058+00:00", "updated": "2026-04-21T16:30:40.683817+00:00", "vendors": ["woocommerce", "woocommerce$PRODUCT$woocommerce", "woosaai", "woosaai$PRODUCT$integration_opvius_ai_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}