CVE-2025-12835 is a path traversal vulnerability classified under CWE-22 found in the WooMulti WordPress plugin up to version 17. The flaw arises because the plugin does not properly validate the 'file' parameter when processing file deletion requests. This improper validation allows authenticated users, including those with minimal privileges such as subscribers, to specify arbitrary file paths outside the intended directory scope. Consequently, attackers can delete arbitrary files on the server hosting the WordPress site. The vulnerability does not require administrative privileges but does require the attacker to be authenticated, which lowers the barrier compared to vulnerabilities requiring higher privileges or no authentication. The absence of input sanitization or path normalization enables traversal sequences (e.g., '../') to escape restricted directories. This can lead to deletion of critical files, potentially causing denial of service, data loss, or facilitating further exploitation by removing security or configuration files. No patches or official fixes have been published yet, and no known exploits are currently in the wild. The vulnerability was reserved in early November 2025 and published in December 2025. WooMulti is a plugin used to extend WordPress functionality, often in multi-vendor or multi-store e-commerce contexts, making it a valuable target for attackers seeking to disrupt operations or gain footholds.

For European organizations, this vulnerability poses a significant risk to the availability and integrity of their WordPress-based web infrastructure. Unauthorized file deletion could disrupt e-commerce operations, content availability, and backend processes, leading to business downtime and loss of customer trust. The ability for low-privileged users to delete arbitrary files increases the attack surface, especially in environments with many registered users or subscribers. This could also be leveraged as a stepping stone for further attacks, such as deleting security logs or configuration files to cover tracks. Organizations handling sensitive customer data or critical business functions via WooMulti-enhanced WordPress sites may face regulatory and compliance repercussions if service disruptions or data integrity issues occur. Given the widespread use of WordPress and WooMulti in European SMEs and e-commerce sectors, the impact could be broad, affecting operational continuity and potentially leading to financial losses.

Immediate mitigation steps include restricting file deletion capabilities strictly to trusted, high-privilege roles and disabling file deletion features for subscriber or low-privilege accounts. Implementing server-side input validation and sanitization to ensure the 'file' parameter cannot contain path traversal sequences is critical. Employ path normalization functions to canonicalize file paths before processing deletions. Monitoring file system changes and implementing integrity checks can help detect unauthorized deletions early. Organizations should isolate WordPress installations and run them with the least privilege necessary on the server to limit damage scope. Until an official patch is released, consider disabling or removing the WooMulti plugin if feasible. Additionally, enforce strong authentication and session management to prevent unauthorized access by attackers masquerading as legitimate users. Regular backups of website files and configurations are essential to enable rapid recovery from any malicious deletions.