CVE-2025-12835 is a path traversal vulnerability classified under CWE-22 found in the WooMulti WordPress plugin versions up to 17. The flaw arises because the plugin fails to properly validate the 'file' parameter when processing file deletion requests. This improper validation allows authenticated users, including those with minimal privileges such as subscribers, to manipulate the file path and delete arbitrary files on the hosting server. The vulnerability is remotely exploitable over the network (AV:N) with low attack complexity (AC:L), requiring only low privileges (PR:L) and user interaction (UI:R). The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component's privileges. The CVSS v3.1 base score is 7.3, reflecting high severity due to the potential for integrity and availability impacts. Successful exploitation can lead to deletion of critical files, causing denial of service or data loss. No public exploits are currently known, but the vulnerability poses a significant risk given WooMulti's deployment in WordPress sites, especially those handling multi-vendor e-commerce. The lack of patch links suggests a fix is pending or not yet publicly released. The vulnerability was reserved in early November 2025 and published in December 2025, indicating recent discovery. Attackers could leverage this flaw to disrupt services or escalate attacks by removing key files, making it a critical concern for site administrators.

For European organizations, this vulnerability poses a significant risk to the integrity and availability of web services running WooMulti on WordPress. Unauthorized file deletions could lead to website downtime, loss of critical data, or disruption of e-commerce operations, impacting business continuity and customer trust. Since even low-privilege users can exploit this flaw, insider threats or compromised subscriber accounts could be leveraged to cause damage. The impact is particularly severe for organizations relying on WooMulti for multi-vendor marketplace functionality, as service disruption could affect multiple stakeholders. Additionally, recovery from such attacks may require restoring files from backups, incurring operational costs and potential data loss. The vulnerability does not directly expose confidential data but can indirectly affect confidentiality if deletion of security-related files occurs. Overall, the threat could lead to reputational damage, financial losses, and regulatory scrutiny under European data protection laws if service availability is compromised.

European organizations should immediately restrict access to the WooMulti plugin features, especially file deletion functionalities, limiting them to trusted administrators only. Implement strict role-based access controls to prevent low-privilege users from performing sensitive operations. Monitor server logs for unusual file deletion activities and set up alerts for suspicious behavior. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the 'file' parameter. Regularly back up website files and databases to enable rapid recovery in case of file deletion attacks. Since no official patch is currently available, consider temporarily disabling the vulnerable plugin or replacing it with alternative solutions until a secure update is released. Engage with the plugin vendor or community for updates and apply patches promptly once available. Conduct security audits and penetration testing focused on plugin vulnerabilities to identify and remediate similar issues proactively.