CVE-2025-13391 is a vulnerability identified in the Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) WordPress plugin, which is widely used to customize product options and pricing formulas in WooCommerce stores. The root cause is a missing authorization (CWE-862) in the 'uni_cpo_remove_file' function, which fails to verify user capabilities before allowing file deletion requests. This flaw enables unauthenticated attackers to delete arbitrary attachments or files stored externally in Dropbox, provided they know the exact file path. The vulnerability affects all plugin versions up to and including 4.9.60, with a partial patch applied in version 4.9.60. The attack vector is network-based with no authentication or user interaction required, making exploitation straightforward for remote attackers. The vulnerability impacts data integrity by permitting unauthorized deletion of files, potentially disrupting business operations or causing data loss. Although no known exploits are currently reported in the wild, the ease of exploitation and the widespread use of WooCommerce and Dropbox integrations elevate the risk. The CVSS v3.1 base score is 5.8, indicating a medium severity level, with the vector string AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N highlighting no confidentiality or availability impact but a significant integrity impact and scope change due to cross-component effects. The vulnerability was assigned and published by Wordfence and is tracked under CWE-862 (Missing Authorization).

The primary impact of CVE-2025-13391 is unauthorized modification of data integrity, specifically the deletion of arbitrary files stored in Dropbox linked to WooCommerce stores using the Uni CPO plugin. This can lead to loss of critical business documents, product attachments, or pricing formula files, potentially disrupting e-commerce operations and causing financial and reputational damage. Since the vulnerability requires no authentication and can be exploited remotely, attackers can perform targeted deletions without detection if file paths are known or can be guessed. The lack of confidentiality and availability impact reduces the risk of data leakage or denial of service, but the integrity loss alone can have serious consequences for businesses relying on accurate product data and pricing. Organizations with automated workflows or backups dependent on these files may experience cascading failures or incorrect pricing calculations. The partial patch in version 4.9.60 mitigates some risk, but unpatched installations remain vulnerable. The absence of known exploits in the wild suggests limited current exploitation but does not preclude future attacks, especially as attackers often target popular e-commerce platforms. Overall, the threat poses a moderate risk to organizations globally, particularly those heavily invested in WooCommerce and Dropbox integrations.

1. Immediately update the Uni CPO (Premium) plugin to the latest version beyond 4.9.60 that fully addresses the missing authorization vulnerability. 2. Implement strict access controls and permissions on Dropbox storage to limit file deletion capabilities to trusted accounts and services only. 3. Monitor file deletion logs and Dropbox activity for unusual or unauthorized deletion attempts, using automated alerting where possible. 4. Restrict exposure of file paths and URLs that could be leveraged by attackers to guess or enumerate files for deletion. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'uni_cpo_remove_file' function or related endpoints. 6. Conduct regular security audits and code reviews of custom WooCommerce plugins and integrations to ensure proper authorization checks are in place. 7. Educate development and operations teams about the risks of missing authorization and the importance of capability checks in plugin functions. 8. Maintain regular backups of critical files stored in Dropbox and WooCommerce to enable recovery in case of unauthorized deletion. 9. Consider isolating Dropbox storage accounts used for WooCommerce attachments to minimize blast radius in case of compromise. 10. Stay informed about updates and advisories from the plugin vendor and security communities regarding this vulnerability and related threats.