CVE-2025-5391 is a high-severity vulnerability identified in the WooCommerce Purchase Orders plugin for WordPress, specifically affecting all versions up to and including 1.0.2. The root cause is an improper limitation of a pathname to a restricted directory, classified under CWE-22 (Path Traversal). The vulnerability exists in the delete_file() function, which fails to adequately validate file paths before performing deletion operations. This flaw allows authenticated attackers with as low as Subscriber-level privileges to craft malicious requests that delete arbitrary files on the web server hosting the WordPress site. Because critical files such as wp-config.php can be deleted, this can lead to remote code execution (RCE) by destabilizing the application or enabling attackers to upload or execute malicious code. The CVSS v3.1 score is 8.1, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and resulting in high impact on integrity and availability. No public exploits have been reported yet, but the vulnerability’s nature and ease of exploitation make it a significant threat. The plugin’s widespread use in e-commerce environments increases the risk, as attackers could disrupt business operations or gain persistent access through RCE. The vulnerability’s exploitation does not require user interaction, and the attack scope is limited to authenticated users, which may be common in many WordPress installations where subscriber roles are assigned to registered users or customers.

For European organizations, especially those running WooCommerce-based e-commerce platforms, this vulnerability poses a serious risk. Exploitation can lead to deletion of critical files, causing website downtime, loss of data integrity, and potential full system compromise via remote code execution. This can disrupt business continuity, damage reputation, and lead to financial losses. Organizations handling sensitive customer data are at risk of data breaches if attackers leverage RCE to escalate privileges or move laterally within the network. The impact on availability can also affect customer trust and violate compliance requirements such as GDPR, which mandates protection of personal data and timely breach notifications. Given the plugin’s popularity among small to medium-sized enterprises (SMEs) in Europe, the threat could affect a broad range of sectors including retail, services, and digital goods providers.

Immediate mitigation involves updating the WooCommerce Purchase Orders plugin to a patched version once available. Until a patch is released, organizations should restrict Subscriber-level users’ capabilities by tightening role permissions or disabling the plugin if not essential. Implementing a Web Application Firewall (WAF) with rules to detect and block path traversal patterns in HTTP requests can provide temporary protection. Monitoring file system integrity and setting up alerts for unexpected deletions of critical files like wp-config.php is recommended. Additionally, enforcing strong authentication and limiting user registrations can reduce the attack surface. Regular backups with offline storage ensure recovery from destructive attacks. Security teams should audit all installed plugins for similar vulnerabilities and maintain an up-to-date inventory to respond quickly to emerging threats.