The Integration Opvius AI for WooCommerce plugin for WordPress contains a critical path traversal vulnerability identified as CVE-2025-14301 (CWE-22). This vulnerability exists in the process_table_bulk_actions() function, which handles file path inputs from the wsaw-log[] POST parameter without performing necessary security checks such as authentication, nonce verification, or path validation. As a result, attackers can craft malicious requests to traverse directories and access or delete arbitrary files on the server filesystem. This includes sensitive files like wp-config.php, which contains database credentials and other critical configuration details. The vulnerability affects all plugin versions up to and including 1.3.0. The lack of authentication and user interaction requirements means the attack can be executed remotely by unauthenticated users, increasing the risk and ease of exploitation. The CVSS 3.1 score of 9.8 reflects the critical nature of this flaw, with a network attack vector, no privileges required, and full impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the severity and simplicity of exploitation make this a high-priority issue for affected sites. The vulnerability could lead to site defacement, data leakage, or complete site compromise if exploited.

The impact of CVE-2025-14301 is severe for organizations using the Integration Opvius AI for WooCommerce plugin. Successful exploitation allows unauthenticated attackers to read or delete arbitrary files on the web server, potentially leading to full site compromise. Deletion of critical files like wp-config.php can cause site downtime and loss of configuration, while reading sensitive files can expose database credentials and other secrets, enabling further attacks such as database compromise or lateral movement. The vulnerability threatens confidentiality, integrity, and availability of affected systems. E-commerce sites relying on WooCommerce and this plugin risk financial loss, reputational damage, and regulatory consequences if customer data is exposed or services disrupted. Given the plugin’s integration with AI features, attackers might also manipulate AI-driven processes or data. The ease of remote exploitation without authentication or user interaction broadens the attack surface, increasing the likelihood of automated scanning and exploitation attempts worldwide.

To mitigate CVE-2025-14301, organizations should immediately update the Integration Opvius AI for WooCommerce plugin to a patched version once available. If no patch is currently released, temporary mitigations include restricting access to the vulnerable endpoint by IP whitelisting or web application firewall (WAF) rules that block requests containing the wsaw-log[] parameter. Implementing strict input validation and sanitization on file path parameters can prevent path traversal attempts. Enforcing authentication and nonce verification on sensitive actions within the plugin’s code is critical to prevent unauthorized access. Regularly auditing file permissions on the server to minimize damage from file deletion is recommended. Monitoring web server logs for suspicious POST requests targeting the vulnerable parameter can help detect exploitation attempts. Additionally, maintaining regular backups of critical files like wp-config.php ensures rapid recovery if deletion occurs. Organizations should also consider isolating WordPress instances and running them with least privilege to limit the impact of a successful attack.