Description
The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and including, 5.4.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Published: 2025-08-02
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

The vulnerability exists in the woffice_file_manager_delete() function of the Woffice Core WordPress plugin. Insufficient validation of the file path allows an authenticated user with Contributor-level access or higher to specify arbitrary paths, causing the plugin to delete the target file. This can result in deletion of critical WordPress files, such as wp‑config.php, thereby enabling remote code execution. The flaw is a classic path traversal issue identified as CWE‑22.

Affected Systems

The flaw affects all installations of the Woffice Core plugin for WordPress up to and including version 5.4.26. The affected product is the Woffice Core plugin from WofficeIO, deployed on WordPress sites. No other products or versions are listed.

Risk and Exploitability

The CVSS score of 6.8 denotes a medium severity vulnerability, while the EPSS score of less than 1% indicates low perceived likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with at least Contributor privileges, so the attack vector is local. Given the potential for deleting core configuration files, successful exploitation could lead to remote code execution if the attacker removes wp-config.php or similar files. However, the probabilistic exploitation likelihood remains low at present.

Generated by OpenCVE AI on April 21, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Woffice Core plugin to the latest version (5.4.27 or later) where the file path validation is fixed.
  • Restrict file system permissions for the WordPress upload and plugin directories to prevent deletion by non‑administrative users.
  • If an immediate update is unavailable, disable or remove the file manager feature for all users below administrator level until the patch is applied.
  • Verify that contributors cannot reach the file management endpoint by adjusting the plugin settings or applying an access‑control plugin.

Generated by OpenCVE AI on April 21, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-23419 The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and including, 5.4.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
History

Tue, 12 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Xtendify
Xtendify woffice
CPEs cpe:2.3:a:xtendify:woffice:*:*:*:*:*:wordpress:*:*
Vendors & Products Xtendify
Xtendify woffice

Mon, 04 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 Aug 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wofficeio
Wofficeio woffice Core
Wordpress
Wordpress wordpress
Vendors & Products Wofficeio
Wofficeio woffice Core
Wordpress
Wordpress wordpress

Sat, 02 Aug 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and including, 5.4.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Title Woffice Core <= 5.4.26 - Authenticated (Contributor+) Arbitrary File Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Wofficeio Woffice Core
Wordpress Wordpress
Xtendify Woffice
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:45.085Z

Reserved: 2025-07-15T20:01:09.691Z

Link: CVE-2025-7694

cve-icon Vulnrichment

Updated: 2025-08-04T15:19:14.912Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-02T04:15:37.300

Modified: 2025-08-12T17:49:17.087

Link: CVE-2025-7694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:45:27Z

Weaknesses