CVE-2025-4564 - Vulnerability Details

- TicketBAI Facturas para WooCommerce <= 3.18 - Unauthenticated Arbitrary File Deletion

Description

The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Published: 2025-05-15

Score: 9.8 Critical

EPSS: 3.7% Low

KEV: No

Impact:

Action:

Analysis

Impact

The TicketBAI Facturas para WooCommerce plugin accepts a 'delpdf' action that allows files to be deleted without proper path validation. An attacker can supply any file path, leading to arbitrary file removal on the server. If critical files such as wp-config.php are deleted, the attacker can pivot to remote code execution or other destructive actions.

Affected Systems

The vulnerability exists in the TicketBAI Facturas para WooCommerce WordPress plugin by facturaone. All releases up to version 3.18 are affected. Users running these versions are at risk unless they upgrade.

Risk and Exploitability

The CVSS base score of 9.8 indicates critical severity. The EPSS score of 4% indicates moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires no authentication; a simple HTTP request targeting the plugin's 'delpdf' endpoint can trigger the flaw. Because the attacker can specify arbitrary file paths, deletion of key configuration or core files can enable remote code execution, making this a high priority risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

facturaone

TicketBAI Facturas para WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.18

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the TicketBAI Facturas para WooCommerce plugin to the latest version that removes or secures the vulnerable 'delpdf' action.
If an immediate upgrade is not possible, manually disable or comment out the 'delpdf' function in the plugin code until a patch is applied.
Restrict file permissions on critical files and directories so that the web server cannot delete or modify them, thereby limiting the impact of the flaw.

Generated by OpenCVE AI on April 22, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-15152	The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.03694.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/wp-ticketbai/trunk/wp-ticketbai.php#L240
https://plugins.trac.wordpress.org/changeset/3292061/
https://www.wordfence.com/threat-intel/vulnerabilities/id/2927aa13-b012-41eb-93bd-38a4e5fc5455?source=cve

History

Thu, 15 May 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 15 May 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title		TicketBAI Facturas para WooCommerce <= 3.18 - Unauthenticated Arbitrary File Deletion
Weaknesses		CWE-22
References		https://plugins.trac.wordpress.org/browser/wp-ticketbai/trunk/wp-ticketbai.php#L240 https://plugins.trac.wordpress.org/changeset/3292061/ https://www.wordfence.com/threat-intel/vulnerabilities/id/2927aa13-b012-41eb-93bd-38a4e5fc5455?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-05-15T11:13:15.235Z

Updated: 2026-04-08T16:43:16.112Z

Reserved: 2025-05-12T05:42:19.386Z

Link: CVE-2025-4564

Vulnrichment

Updated: 2025-05-15T13:30:54.156Z

NVD

Status : Deferred

Published: 2025-05-15T12:15:23.413

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4564

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T15:00:05Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object