Overview
CVE-2025-5391 is a critical vulnerability found in the WooCommerce Purchase Orders plugin for WordPress, a widely-used e-commerce solution for online businesses. This vulnerability is particularly concerning due to its potential to lead to arbitrary file deletion and eventually, remote code execution, making it a significant threat to WordPress users employing the WooCommerce Purchase Orders plugin. Any breach of this nature can have potential catastrophic consequences for businesses, including system compromise and data leakage.
Vulnerability Summary
CVE ID: CVE-2025-5391
Severity: High (8.1 CVSS Score)
Attack Vector: Network
Privileges Required: Low (Subscriber-level access)
User Interaction: Required
Impact: An exploit can lead to arbitrary file deletion, potentially resulting in remote code execution and system compromise or data leakage.
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
WooCommerce Purchase Orders Plugin for WordPress | Up to and including 1.0.2
How the Exploit Works
The vulnerability lies in the delete_file() function of the WooCommerce Purchase Orders plugin, which lacks sufficient file path validation. An attacker with Subscriber-level access or above can abuse this function to delete arbitrary files on the server. The gravest threat arises when critical files like ‘wp-config.php’ are deleted which can then allow for remote code execution. This essentially hands over control of the server to the attacker, compromising the system and potentially leading to data leakage.
Conceptual Example Code
Given the vulnerability, an attacker could send a malicious request to the server using the delete_file() function. The following is a conceptual example of how such a request might look:
POST /wp-admin/admin-ajax.php?action=delete_file HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
file_path=../../../wp-config.php
In this example, the attacker makes a POST request to the ‘delete_file’ action of the ‘admin-ajax.php’ file, specifying the ‘file_path’ parameter as ‘wp-config.php’, a critical file in the WordPress installation. Due to insufficient file path validation, the server processes the request and deletes the specified file, potentially leading to remote code execution.
Mitigation Guidance
Given the severity of this vulnerability, immediate mitigation measures should be taken. Users are advised to apply the vendor patch as soon as it is available. Until then, a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can be used to detect and prevent attempts to exploit this vulnerability. Regularly updating and patching software, along with implementing good cybersecurity practices such as limiting user privileges and monitoring system logs, can also help in mitigating the risk associated with such vulnerabilities.
