CVE-2025-47535 is a high-severity path traversal vulnerability (CWE-22) found in the wpopal Opal Woo Custom Product Variation plugin, affecting versions up to 1.2.0. This vulnerability allows an unauthenticated remote attacker to manipulate file path inputs to access files and directories outside the intended restricted directory. The vulnerability arises due to improper validation or limitation of pathname inputs, enabling traversal sequences (e.g., '../') to escape the designated directory boundaries. Exploitation requires no user interaction or privileges and can be performed remotely over the network. The CVSS 3.1 base score of 8.6 reflects the vulnerability's high impact on availability (denial of service or disruption) without compromising confidentiality or integrity directly. The scope is changed (S:C), indicating that exploitation could affect resources beyond the initially vulnerable component, potentially impacting the entire web application or server. Although no known public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a significant risk, especially for websites relying on this plugin for WooCommerce product variation management. Attackers could leverage this flaw to cause service outages or disrupt e-commerce operations by accessing or deleting critical files, or triggering application crashes.

For European organizations, especially e-commerce businesses using WooCommerce with the Opal Woo Custom Product Variation plugin, this vulnerability poses a substantial risk. Exploitation could lead to denial of service, disrupting online sales and customer trust. Given the critical role of e-commerce in the European digital economy, such disruptions can result in financial losses, reputational damage, and potential regulatory scrutiny under GDPR if service availability impacts customer data processing. Additionally, if attackers access sensitive configuration or backup files through path traversal, there could be indirect risks to confidentiality or integrity, although the CVSS score does not indicate direct impact on these. The vulnerability's remote and unauthenticated nature increases the attack surface, making it attractive for opportunistic attackers or automated scanning campaigns targeting European WooCommerce sites. Organizations with limited patch management or security monitoring capabilities are particularly vulnerable.

Immediate mitigation should focus on updating the Opal Woo Custom Product Variation plugin to a patched version once released by the vendor. Until a patch is available, organizations should implement strict input validation and sanitization at the web application firewall (WAF) or reverse proxy level to detect and block path traversal patterns such as '../'. Employing a WAF with custom rules tailored to WooCommerce plugin vulnerabilities can reduce exposure. Restricting file system permissions for the web server user to limit access to only necessary directories can minimize potential damage. Regularly auditing plugin usage and removing unnecessary or outdated plugins reduces attack surface. Monitoring web server logs for suspicious path traversal attempts and setting up alerting mechanisms can help detect exploitation attempts early. Finally, organizations should review backup and recovery procedures to ensure rapid restoration in case of service disruption.