CVE-2025-5391 is a path traversal vulnerability classified under CWE-22 found in the bbioon WooCommerce Purchase Orders plugin for WordPress. The flaw exists in the delete_file() function, which fails to properly validate and restrict file paths before deletion. This improper limitation allows authenticated attackers with as low as Subscriber-level privileges to craft malicious requests that delete arbitrary files on the hosting server. Since WordPress plugins typically run with the same permissions as the web server user, deleting critical files such as wp-config.php can disrupt site availability or enable remote code execution by forcing site misconfiguration or triggering fallback behaviors. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS 3.1 base score is 8.1, reflecting high impact on integrity and availability, low attack complexity, and the need for low privileges. No patches or official fixes are currently linked, and no active exploits have been reported, but the risk remains high due to the potential for severe damage and ease of exploitation.

The vulnerability allows attackers to delete arbitrary files on the server, which can lead to denial of service by removing essential site files or configuration data. More critically, deleting files like wp-config.php can enable attackers to execute remote code, potentially leading to full site compromise, data theft, or further lateral movement within the hosting environment. This threatens the confidentiality, integrity, and availability of affected WordPress sites. Organizations relying on WooCommerce Purchase Orders for e-commerce operations risk financial loss, reputational damage, and regulatory consequences if exploited. The requirement for only Subscriber-level access lowers the barrier for exploitation, increasing the threat surface. The vulnerability affects all versions up to 1.0.2, implying a broad scope of potentially vulnerable installations worldwide.

Immediate mitigation should include restricting or disabling the WooCommerce Purchase Orders plugin until a patch is available. Administrators should audit user roles and permissions to ensure that only trusted users have Subscriber-level or higher access. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the delete_file() function or path traversal patterns. Employ file integrity monitoring to detect unauthorized file deletions or modifications. Regular backups of critical files such as wp-config.php should be maintained to enable rapid recovery. Developers should implement strict server-side validation and sanitization of file paths, enforcing whitelist-based restrictions to prevent traversal outside allowed directories. Monitoring logs for unusual deletion activity and applying principle of least privilege to WordPress roles can further reduce risk. Once a patch is released, apply it promptly and verify the fix.