CVE-2025-7694 is a path traversal vulnerability classified under CWE-22 found in the Woffice Core plugin for WordPress, affecting all versions up to and including 5.4.26. The vulnerability exists in the woffice_file_manager_delete() function, which fails to properly validate and restrict file paths before performing file deletion operations. Authenticated users with Contributor-level privileges or higher can exploit this flaw by crafting malicious requests that traverse directories and delete arbitrary files on the server. This capability is particularly dangerous because deleting critical files such as wp-config.php can disrupt WordPress configuration and potentially allow attackers to execute remote code or cause denial of service. The vulnerability requires network access and authentication but does not require user interaction beyond the attacker's own authenticated session. The CVSS v3.1 base score of 6.8 reflects a medium severity rating, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and high availability impact (A:H). No public exploits have been reported yet, but the potential for serious impact exists if exploited. The vulnerability was publicly disclosed on August 2, 2025, with no official patch links available at the time, emphasizing the need for immediate attention by administrators of affected systems.

The impact of CVE-2025-7694 is significant for organizations using the Woffice Core WordPress plugin. Successful exploitation allows authenticated users with relatively low privileges (Contributor role) to delete arbitrary files on the web server. This can lead to disruption of website functionality, loss of critical configuration files, and potentially remote code execution if attackers delete or manipulate files that control site behavior. The integrity and availability of the affected WordPress sites are at high risk, potentially resulting in website downtime, data loss, and unauthorized system control. Organizations relying on Woffice Core for collaboration or intranet purposes may face operational disruptions and reputational damage. Since WordPress is widely used globally, the scope of affected systems is broad, especially for sites that grant Contributor-level access to untrusted users or have weak access controls. The requirement for authentication limits exploitation to insiders or compromised accounts, but the ease of privilege escalation within WordPress environments can increase risk. No known exploits in the wild reduce immediate threat but do not eliminate future risk, especially after public disclosure.

To mitigate CVE-2025-7694, organizations should immediately review and restrict Contributor-level access permissions, ensuring only trusted users have such privileges. Implement strict role-based access controls and audit user roles regularly. Monitor server logs and WordPress activity logs for unusual file deletion attempts or suspicious behavior related to the woffice_file_manager_delete() function. Until an official patch is released, consider disabling or removing the Woffice Core plugin if feasible, or restrict access to the file manager functionality via web application firewalls or plugin configuration. Employ file integrity monitoring solutions to detect unauthorized changes or deletions of critical files like wp-config.php. Harden the WordPress environment by disabling unnecessary file operations and ensuring the web server user has minimal file system permissions. Stay updated with vendor advisories and apply patches promptly once available. Additionally, implement multi-factor authentication to reduce the risk of account compromise that could lead to exploitation.