A high-severity vulnerability has been identified in the WooCommerce Purchase Orders plugin for WordPress, assigned CVE-2025-5391. This flaw allows an attacker to delete arbitrary files on the server, including critical WordPress configuration files. Successful exploitation could lead to a complete website denial of service, data loss, and a degradation of the site's overall security posture.

The vulnerability exists within the delete_file() function of the plugin. Due to insufficient validation of user-supplied file paths, an attacker can use path traversal techniques (e.g., ../../..) to specify a file location outside of the intended directory. A low-privileged authenticated attacker could craft a malicious request to this function, tricking the application into deleting critical system files such as wp-config.php, .htaccess, or other essential plugin and theme files, leading to a denial of service or creating opportunities for further compromise.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation can have a significant negative impact on business operations. Deleting core configuration files can render the entire website inaccessible, resulting in a Denial of Service (DoS) condition that leads to reputational damage and lost revenue. Furthermore, the deletion of security-related files or user data could compromise the integrity of the application, lead to data loss, and weaken security controls, making the website more susceptible to subsequent attacks.

Immediate Action:

• Immediately update the WooCommerce Purchase Orders plugin to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, consider deactivating and removing it entirely to eliminate the attack surface.
• Review WordPress file and directory permissions to ensure the web server user cannot modify or delete critical core files.

Proactive Monitoring:

• Monitor web server access logs for requests targeting the plugin's endpoints, specifically looking for path traversal sequences (e.g., ../, %2e%2e/, etc.) in request parameters.
• Implement a File Integrity Monitoring (FIM) solution to generate alerts for any unauthorized or unexpected changes or deletions of critical WordPress files.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules designed to detect and block path traversal attack patterns.
• Ensure a robust and tested backup and recovery plan is in place to allow for rapid restoration of the website and critical files in the event of a successful attack.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the severe potential impact of arbitrary file deletion, we strongly recommend that organizations using the affected plugin prioritize remediation immediately. The risk of website downtime and security degradation is substantial. All instances of the WooCommerce Purchase Orders plugin should be updated to the latest version without delay. If the plugin is not critical, it should be removed as the most effective mitigation strategy.