A high-severity vulnerability has been identified in the WooMulti WordPress plugin, allowing any authenticated user, including those with the lowest privileges like subscribers, to delete arbitrary files from the web server. Successful exploitation could lead to website defacement, complete loss of functionality, or a total denial of service by deleting critical configuration or system files. Immediate patching is required to mitigate the risk of a site-wide outage.

The vulnerability exists within the file deletion functionality of the WooMulti plugin. The function responsible for deleting files fails to properly sanitize or validate the user-supplied file path parameter. An authenticated attacker can exploit this flaw by crafting a request that uses path traversal sequences (e.g., ../../) to navigate outside of the intended directory and target any file that the web server process has permission to delete. This could include critical WordPress core files like wp-config.php, .htaccess, or even essential operating system files, leading to arbitrary file deletion.

This vulnerability is rated as High severity with a CVSS score of 7.3. The business impact is significant, as exploitation can directly lead to a complete denial of service if critical files required for the website's operation are deleted. This would result in website downtime, causing potential revenue loss, reputational damage, and loss of customer trust. The cost of recovery could also be substantial, requiring restoration from backups and a thorough security investigation to ensure the integrity of the server has not been further compromised.

Immediate Action: Immediately update the WooMulti WordPress plugin to the latest version available from the vendor, which addresses this vulnerability. As a best practice, conduct a review of all installed plugins and themes; remove any that are no longer necessary to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for suspicious requests targeting the plugin's file deletion functionality, specifically looking for file paths containing traversal sequences (../). Implement a File Integrity Monitoring (FIM) solution to alert on any unauthorized changes or deletions to critical WordPress core files and server configuration files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block path traversal attack patterns. Additionally, enforce strict file system permissions to ensure the web server user account cannot write to or delete files outside of its designated directories, thereby limiting the impact of a successful exploit.

Public Exploit Available: false

Given the high severity (CVSS 7.3) and the ease of exploitation by any authenticated user, this vulnerability poses a critical risk to affected WordPress sites. Although it is not currently listed on the CISA KEV list, we strongly recommend that organizations prioritize applying the vendor-supplied patch immediately. The potential for a complete denial of service attack warrants urgent attention to prevent significant business disruption.