The vulnerability identified as CVE-2025-13391 affects the Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress. This plugin is widely used to enhance WooCommerce stores by allowing complex product options and price calculations. The core issue is a missing authorization check (CWE-862) in the 'uni_cpo_remove_file' function, which is responsible for deleting files stored in Dropbox. Because the function lacks proper capability verification, unauthenticated attackers can invoke it remotely to delete arbitrary files if they know the exact file path. This flaw compromises data integrity by enabling unauthorized deletion of attachments or files linked to the e-commerce platform. The vulnerability affects all versions up to and including 4.9.60, with a partial patch applied in 4.9.60, indicating that some risk may remain if the patch is incomplete or not applied. The CVSS v3.1 score of 5.8 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) indicating that the vulnerability affects resources beyond the security scope of the vulnerable component. The impact is limited to integrity (I:L), with no confidentiality or availability impact. No known exploits are currently reported in the wild, but the ease of exploitation and lack of authentication requirements make this a significant risk for affected sites. The vulnerability could lead to loss of critical product-related files, potentially disrupting business operations and causing financial or reputational damage.

For European organizations, particularly those operating WooCommerce-based e-commerce platforms using the Uni CPO Premium plugin, this vulnerability poses a risk of unauthorized deletion of product-related files stored in Dropbox. This can lead to data loss affecting product configurations, pricing formulas, or attachments critical for sales operations. The integrity breach could disrupt order processing, pricing accuracy, and customer experience, potentially resulting in financial losses and damage to brand reputation. Since the vulnerability requires no authentication and can be exploited remotely, attackers can target vulnerable sites at scale. Organizations relying on automated workflows or third-party integrations with Dropbox are especially vulnerable to cascading effects. Although availability and confidentiality are not directly impacted, the loss of data integrity can indirectly affect service reliability and customer trust. The partial patch status means organizations must verify patch completeness and consider additional compensating controls. The threat is more pronounced in sectors with high e-commerce activity and reliance on WooCommerce plugins, including retail, wholesale, and digital goods providers across Europe.

1. Immediately update the Uni CPO Premium plugin to the latest version beyond 4.9.60 once a full patch is available and verified. 2. Until a complete patch is confirmed, disable or restrict access to the 'uni_cpo_remove_file' function by applying custom capability checks or limiting its invocation to authenticated and authorized users only. 3. Implement strict access controls and monitoring on Dropbox file storage, including logging and alerting on file deletions. 4. Avoid exposing file paths publicly or through predictable URLs to reduce the risk of attackers guessing valid paths. 5. Conduct regular audits of plugin usage and file deletion logs to detect suspicious activity early. 6. Employ web application firewalls (WAFs) with rules targeting suspicious requests to the vulnerable function. 7. Educate development and security teams about the vulnerability to ensure rapid response to any exploitation attempts. 8. Consider isolating critical file storage or using alternative secure storage solutions with stronger access controls. 9. Review and harden WordPress and WooCommerce security configurations to minimize attack surface. 10. Maintain regular backups of product-related files to enable recovery in case of unauthorized deletions.