Description
The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-08-12
Score: 8.1 High
EPSS: 1.3% Low
KEV: No
Impact: Arbitrary file deletion with potential for remote code execution
Action: Patch
AI Analysis

Impact

The WooCommerce Purchase Orders plugin fails to validate file paths in its delete_file() routine, enabling any authenticated user with Subscriber level or higher to remove any file on the hosting system. Deleting critical configuration files such as wp-config.php could immediately lead to full compromise of the WordPress installation.

Affected Systems

The vulnerability affects the WooCommerce Purchase Orders plugin for WordPress distributed by bbioon. Sites that have installed any version up to and including 1.0.2 are vulnerable. The plugin is used within WooCommerce stores and is accessible to users with Subscriber role permissions or higher.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the EPSS value of 1% suggests that exploitation, while not common, is conceivable in the wild. The vulnerability is not listed in the CISA KEV catalogue. Attackers only need to be authenticated, meaning that compromised or legitimately granted Subscriber accounts are sufficient to exploit the flaw, after which file deletion can be performed via the plugin’s interface.

Generated by OpenCVE AI on April 22, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Purchase Orders plugin to the latest version that fixes the file path validation flaw.
  • Restrict Subscriber or lower role permissions from accessing the plugin’s file‑deletion controls and consider elevating such permissions to Administrator only.
  • Verify that critical files such as wp-config.php have correct file system permissions and are not writable or deletable by the web server process.

Generated by OpenCVE AI on April 22, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24200 The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
References

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Woocommerce woocommerce Purchase Orders Plugin
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Woocommerce woocommerce Purchase Orders Plugin
Wordpress
Wordpress wordpress

Tue, 12 Aug 2025 02:30:00 +0000

Type Values Removed Values Added
Description The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title WooCommerce Purchase Orders <= 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Woocommerce Woocommerce Woocommerce Purchase Orders Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:26.518Z

Reserved: 2025-05-30T15:36:49.329Z

Link: CVE-2025-5391

cve-icon Vulnrichment

Updated: 2025-08-12T13:30:38.331Z

cve-icon NVD

Status : Deferred

Published: 2025-08-12T03:15:28.937

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T17:15:22Z

Weaknesses