CVE-2025-4564 is a critical security vulnerability identified in the TicketBAI Facturas para WooCommerce plugin for WordPress, affecting all versions up to and including 3.18. This vulnerability is classified as CWE-22, which relates to improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. The issue arises from insufficient validation of file paths in the 'delpdf' action, allowing unauthenticated attackers to craft requests that can delete arbitrary files on the server hosting the WordPress site. Because no authentication or user interaction is required, the attack surface is broad and easily exploitable remotely over the network. The ability to delete arbitrary files can lead to severe consequences, including the deletion of critical WordPress configuration files such as wp-config.php. Such deletions can disrupt the availability of the website or, more dangerously, enable attackers to execute remote code by manipulating the environment or triggering fallback behaviors. The CVSS v3.1 score of 9.8 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network vector, no privileges required, no user interaction). Although no known exploits are reported in the wild yet, the severity and simplicity of exploitation make this vulnerability a high priority for patching and mitigation. The lack of available patches at the time of disclosure further increases the urgency for organizations to implement compensating controls.

For European organizations, especially those using WordPress with the TicketBAI Facturas para WooCommerce plugin, this vulnerability poses a significant risk. The arbitrary file deletion can lead to website defacement, downtime, data loss, and potential remote code execution, which could compromise the entire web server and connected internal networks. Given that WooCommerce is widely used for e-commerce across Europe, including small and medium enterprises that may rely on this plugin for invoicing and compliance with local tax regulations (such as TicketBAI in Spain), the impact could disrupt business operations and customer trust. Additionally, compromise of financial or personal data processed through these platforms could lead to violations of GDPR, resulting in legal and financial penalties. The vulnerability could also be leveraged as an entry point for broader attacks, including lateral movement within corporate networks or deployment of ransomware, amplifying the operational and reputational damage.

Immediate mitigation should focus on restricting access to the vulnerable 'delpdf' action endpoint. Web application firewalls (WAFs) can be configured to block suspicious requests attempting path traversal patterns or unauthorized file deletion commands targeting this plugin. Network-level restrictions limiting access to the WordPress admin and plugin endpoints to trusted IP addresses can reduce exposure. Organizations should monitor web server logs for unusual deletion requests or errors related to file access. Until an official patch is released, disabling or uninstalling the TicketBAI Facturas para WooCommerce plugin is advisable if feasible. Additionally, implementing regular, verified backups of the WordPress site and server files will enable rapid recovery if file deletion occurs. Security teams should also ensure that file system permissions are appropriately restrictive, preventing the web server process from deleting critical files outside designated directories. Finally, organizations should subscribe to vendor and security advisories to apply patches promptly once available.