Description
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.
Published: 2026-02-11
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file deletion and data loss by unauthenticated actors
Action: Apply Update
AI Analysis

Impact

The Uni CPO (Premium) plugin for WooCommerce contains a vulnerability in the uni_cpo_remove_file function where a required capability check is missing, allowing anyone with knowledge of an attachment or Dropbox file path to remove those files. This flaw results in unauthorized data deletion, which can affect product images, documentation, or other sensitive content stored by the site. The weakness is classified as Missing Authorization (CWE-862).

Affected Systems

WordPress sites that use the Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin version 4.9.60 or earlier are impacted. Sites running the plugin at these versions or any earlier release are susceptible to the issue. No additional versions are known to be affected beyond the stated cutoff.

Risk and Exploitability

The CVSS base score of 5.8 indicates medium severity, while the EPSS score of less than 1% signifies a low probability of exploitation at this time. The vulnerability has not appeared in the CISA KEV catalog, but it remains publicly documented and could be leveraged by attackers who discover or guess the file path. Because the flaw permits file deletion without authentication, the risk surface is moderate, yet the overall exploitation likelihood remains low due to the requirement of path knowledge and lack of widespread exploitation reports.

Generated by OpenCVE AI on April 22, 2026 at 15:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Uni CPO (Premium) plugin version, which implements a proper capability check for the delete action.
  • If an immediate upgrade is not feasible, block unauthenticated requests to the uni_cpo_remove_file endpoint by adding a firewall rule or disabling the action in a custom plugin.
  • As a short‑term safeguard, restrict public exposure of attachment and Dropbox file paths to prevent path discovery by attackers.

Generated by OpenCVE AI on April 22, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Moomoo
Moomoo product Options And Price Calculation Formulas For Woocommerce – Uni Cpo (premium)
Wordpress
Wordpress wordpress
Vendors & Products Moomoo
Moomoo product Options And Price Calculation Formulas For Woocommerce – Uni Cpo (premium)
Wordpress
Wordpress wordpress

Wed, 11 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.
Title Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.60 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Moomoo Product Options And Price Calculation Formulas For Woocommerce – Uni Cpo (premium)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:43:09.938Z

Reserved: 2025-11-18T23:21:10.049Z

Link: CVE-2025-13391

cve-icon Vulnrichment

Updated: 2026-02-11T16:47:34.320Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T17:16:06.500

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses