CVE-2025-4564 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) affecting the TicketBAI Facturas para WooCommerce plugin for WordPress. The flaw exists in the handling of the 'delpdf' action, where insufficient validation of file paths allows an unauthenticated attacker to specify arbitrary file paths for deletion on the server. Because the plugin does not properly restrict the pathname, attackers can delete any file accessible by the web server process, including sensitive configuration files such as wp-config.php. Deleting such files can lead to remote code execution or complete site compromise. The vulnerability affects all versions up to and including 3.18, with no authentication or user interaction required, making it trivially exploitable remotely. The CVSS v3.1 base score is 9.8, indicating critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no known exploits have been reported in the wild yet, the vulnerability poses a significant risk due to the potential for complete system compromise. The plugin is used primarily in WordPress e-commerce environments, which are common worldwide, increasing the scope of impact. The vulnerability was publicly disclosed on May 15, 2025, with enrichment from CISA, emphasizing its importance. No official patches were linked at the time of disclosure, so mitigation may require temporary workarounds or disabling the vulnerable functionality until updates are available.

The impact of CVE-2025-4564 is severe and multifaceted. Successful exploitation allows an unauthenticated attacker to delete arbitrary files on the web server hosting the vulnerable WooCommerce plugin. This can lead to the loss of critical website files, including configuration files (e.g., wp-config.php), plugin files, or other application data, resulting in denial of service or site downtime. More critically, deletion of configuration files can enable attackers to execute arbitrary code remotely, potentially gaining full control over the web server and underlying infrastructure. This compromises confidentiality, integrity, and availability of the affected systems. For organizations, this can mean data breaches, loss of customer trust, financial losses, and regulatory penalties. E-commerce sites relying on this plugin are particularly at risk, as attackers could disrupt sales, steal customer data, or implant malware. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation once exploit code becomes available. The lack of patches at disclosure time further exacerbates the risk, requiring immediate defensive measures.

1. Immediately audit all WordPress sites using the TicketBAI Facturas para WooCommerce plugin to identify affected versions (up to and including 3.18). 2. Disable or restrict access to the 'delpdf' action endpoint via web server configuration or firewall rules to prevent unauthenticated access until a patch is available. 3. Implement strict web application firewall (WAF) rules to detect and block path traversal patterns targeting the 'delpdf' parameter. 4. Restrict file system permissions for the web server user to limit the scope of deletable files, ensuring critical files like wp-config.php are not writable or deletable by the web server process. 5. Monitor server logs for suspicious requests attempting to exploit path traversal or file deletion. 6. Once available, promptly apply official patches or updates from the plugin vendor. 7. Consider isolating the WordPress environment using containerization or sandboxing to limit damage from potential exploitation. 8. Regularly back up website files and databases to enable rapid recovery in case of file deletion or compromise. 9. Educate site administrators about the risks and signs of exploitation to enable quick incident response.