A critical vulnerability has been identified in The WooCommerce Designer Pro plugin for WordPress, which allows a remote attacker to delete arbitrary files on the server. This flaw, resulting from insufficient file path validation, can be exploited to cause a complete denial of service, destroy critical data, and potentially lead to a full system compromise. Due to its high severity, immediate action is required to prevent exploitation.

The plugin is vulnerable to arbitrary file deletion. It fails to properly sanitize or validate user-supplied input for file paths used in a deletion function. An unauthenticated remote attacker can exploit this by crafting a request with path traversal sequences (e.g., ../../..) to target and delete any file that the web server's user account has permissions to modify. This could include critical application files like wp-config.php, web server configuration files like .htaccess, or even operating system files, leading to a complete compromise or denial of service.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a devastating impact on the business. The primary risk is a complete denial of service if an attacker deletes essential WordPress core files, configuration files, or database credentials. This would result in website downtime, leading to revenue loss, reputational damage, and loss of customer trust. Furthermore, the deletion of sensitive data or security logs could disrupt business operations, complicate incident response, and create opportunities for further attacks.

Immediate Action: Update The WooCommerce Designer Pro plugin for Multiple Products to the latest version. After updating, verify that the patch has been successfully applied and the site is functioning correctly. It is also critical to monitor for exploitation attempts and review access logs for any signs of compromise that may have occurred before patching.

Proactive Monitoring: Implement continuous monitoring of web server access logs and error logs. Specifically, look for suspicious POST or GET requests containing path traversal payloads (e.g., ../, %2e%2e/) in parameters associated with file management or deletion functions. Utilize a File Integrity Monitoring (FIM) solution to alert on unauthorized changes or deletions of critical system and application files.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with strict rules to block path traversal attacks. Enforce the principle of least privilege by ensuring the web server user has the most restrictive file permissions possible, preventing it from writing to or deleting files outside of its designated directories. Maintain regular, automated, and tested offline backups to ensure rapid recovery in the event of a successful attack.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a significant and immediate threat to the confidentiality, integrity, and availability of the affected web application and underlying server. Although this CVE is not currently listed on the CISA KEV list, its severity warrants immediate attention. We strongly recommend that organizations apply the vendor-supplied security update to all affected instances of The WooCommerce Designer Pro plugin without delay. Prioritize this patch above all other routine maintenance to mitigate the risk of a destructive attack.