{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5391", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-30T15:36:49.329Z", "datePublished": "2025-08-12T02:24:45.298Z", "dateUpdated": "2026-04-08T16:33:26.518Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:26.518Z"}, "affected": [{"vendor": "bbioon", "product": "Purchase Orders for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "title": "WooCommerce Purchase Orders <= 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05a27a34-b324-4968-937e-2c0d24175d2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-purchase-orders/trunk/includes/class-bbpo-purchase-orders.php#L151"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-purchase-orders/trunk/includes/class-bbpo-purchase-orders-files.php#L148"}, {"url": "https://plugins.trac.wordpress.org/changeset/3356360/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "timeline": [{"time": "2025-08-11T13:49:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T13:30:37.064634Z", "id": "CVE-2025-5391", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-13T20:19:34.074Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5391", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T13:30:37.064634Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T13:30:38.331Z"}}], "cna": {"title": "WooCommerce Purchase Orders <= 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Alexander Chikaylo"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "bbioon", "product": "Purchase Orders for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-11T13:49:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05a27a34-b324-4968-937e-2c0d24175d2a?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-purchase-orders/trunk/includes/class-bbpo-purchase-orders.php#L151"}, {"url": "https://plugins.trac.wordpress.org/browser/wc-purchase-orders/trunk/includes/class-bbpo-purchase-orders-files.php#L148"}, {"url": "https://plugins.trac.wordpress.org/changeset/3356360/"}], "descriptions": [{"lang": "en", "value": "The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:26.518Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5391", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:26.518Z", "dateReserved": "2025-05-30T15:36:49.329Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-12T02:24:45.298Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."}, {"lang": "es", "value": "El complemento WooCommerce Purchase Orders para WordPress es vulnerable a la eliminaci\u00f3n arbitraria de archivos debido a una validaci\u00f3n insuficiente de la ruta de archivo en la funci\u00f3n delete_file() en todas las versiones hasta la 1.0.2 incluida. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, eliminen archivos arbitrarios en el servidor, lo que puede provocar f\u00e1cilmente la ejecuci\u00f3n remota de c\u00f3digo al eliminar el archivo correcto (como wp-config.php)."}], "id": "CVE-2025-5391", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-12T03:15:28.937", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-purchase-orders/trunk/includes/class-bbpo-purchase-orders-files.php#L148"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wc-purchase-orders/trunk/includes/class-bbpo-purchase-orders.php#L151"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3356360/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05a27a34-b324-4968-937e-2c0d24175d2a?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:01:50.264990+00:00", "value": {"mitigation_remediation": ["Upgrade the WooCommerce Purchase Orders plugin to the latest version that fixes the file path validation flaw.", "Restrict Subscriber or lower role permissions from accessing the plugin\u2019s file\u2011deletion controls and consider elevating such permissions to Administrator only.", "Verify that critical files such as wp-config.php have correct file system permissions and are not writable or deletable by the web server process."], "summary": {"action": "Patch", "impact": "Arbitrary file deletion with potential for remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WooCommerce Purchase Orders plugin for WordPress distributed by bbioon. Sites that have installed any version up to and including 1.0.2 are vulnerable. The plugin is used within WooCommerce stores and is accessible to users with Subscriber role permissions or higher.", "description_and_impact": "The WooCommerce Purchase Orders plugin fails to validate file paths in its delete_file() routine, enabling any authenticated user with Subscriber level or higher to remove any file on the hosting system. Deleting critical configuration files such as wp-config.php could immediately lead to full compromise of the WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity, and the EPSS value of 1% suggests that exploitation, while not common, is conceivable in the wild. The vulnerability is not listed in the CISA KEV catalogue. Attackers only need to be authenticated, meaning that compromised or legitimately granted Subscriber accounts are sufficient to exploit the flaw, after which file deletion can be performed via the plugin\u2019s interface."}}}}, "created": "2025-08-12T11:46:49.530633+00:00", "updated": "2026-04-22T17:15:22.190315+00:00", "vendors": ["woocommerce", "woocommerce$PRODUCT$woocommerce", "woocommerce$PRODUCT$woocommerce_purchase_orders_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}