The vulnerability is a Path Traversal flaw that allows an attacker to delete arbitrary files on the hosting system's filesystem. If an attacker is able to trigger the plugin's file handling functionality, the plugin may construct a pathname that escapes the intended directory and remove any file located on the server. This results in loss of integrity and availability of critical system or website files, potentially disabling the site or corrupting data. The nature of the flaw is an input validation failure that directly leads to destructive file deletion.

The issue affects the WordPress plugin Opal Woo Custom Product Variation by wpopal, for all releases from the earliest available through version 1.2.0. Sites that have installed any of these plugin versions are vulnerable.

The CVSS score of 8.6 classifies this as a high‑severity weakness. The EPSS score is under 1 %, indicating a low probability that the flaw will be actively exploited at this time, and it is not listed in the CISA KEV catalog. The attack vector is likely internal or via a compromised site admin, though the description does not specify remote exploitation. If an attacker gains sufficient access to invoke the plugin’s file deletion path, the impact could be significant. Until a patch is applied, the risk remains moderate to high depending on the threat model and file system permissions.