A critical path traversal vulnerability exists in the Integration Opvius AI for WooCommerce WordPress plugin. This flaw allows unauthenticated attackers to delete or download any file on the web server, including sensitive configuration files or critical system files. Successful exploitation could lead to a complete site compromise, data breach, or denial of service.

The vulnerability is a Path Traversal flaw within the process_table_bulk_actions() function of the plugin. This function fails to implement any authentication, nonce verification, or input sanitization on user-supplied file paths. An unauthenticated attacker can send a specially crafted POST request containing the wsaw-log[] parameter with path traversal sequences (e.g., ../../..) to target files outside of the intended directory. This allows the attacker to force the application to either delete or read and return the contents of arbitrary files on the server's file system, limited only by the web server's file permissions.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate risk to the organization. Exploitation could lead to a severe data breach if an attacker downloads sensitive files like wp-config.php, which contains database credentials and security keys. Furthermore, an attacker could cause a complete denial of service by deleting critical application files, rendering the website inoperable. This can result in significant financial loss, reputational damage, and regulatory penalties depending on the data compromised.

Immediate Action: Immediately update the Integration Opvius AI for WooCommerce plugin to the latest version that addresses this vulnerability (any version after 1.3.0). After patching, thoroughly review web server access logs and file system integrity for any signs of exploitation that may have occurred prior to the update.

Proactive Monitoring: System administrators should actively monitor web server logs for suspicious POST requests, specifically looking for requests containing the wsaw-log[] parameter with path traversal characters (e.g., ../). Implement file integrity monitoring (FIM) on critical files like wp-config.php and core WordPress files to alert on any unauthorized modifications or deletions.

Compensating Controls: If immediate patching is not feasible, consider the following compensating controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attempts in POST request parameters.
• Temporarily disable the vulnerable plugin until a patch can be applied.
• Harden file system permissions to ensure the web server user account has read-only access to non-essential files and no access to sensitive system directories.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ability for unauthenticated attackers to achieve arbitrary file deletion or disclosure, this vulnerability must be treated as a top priority. Organizations using the affected plugin are strongly advised to apply the security update immediately. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants an emergency patching cycle. A retrospective threat hunt should be conducted to identify any potential compromise prior to remediation.