CVE-2025-7694 is a path traversal vulnerability classified under CWE-22 affecting the Woffice Core plugin for WordPress. This vulnerability arises from insufficient validation of file paths in the woffice_file_manager_delete() function present in all versions up to and including 5.4.26. Authenticated users with Contributor-level privileges or higher can exploit this flaw to delete arbitrary files on the server. The lack of proper pathname restriction allows attackers to traverse directories and target critical files outside the intended directory scope. Deleting sensitive files such as wp-config.php can lead to severe consequences, including remote code execution (RCE), as the deletion of configuration files may disrupt normal application behavior or enable attackers to upload malicious payloads or manipulate the environment. The vulnerability has a CVSS 3.1 base score of 6.8, indicating a medium severity level, with the vector highlighting network attack vector (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and high availability impact (A:H). No known exploits are currently reported in the wild, but the potential for exploitation exists due to the nature of the vulnerability and the common use of WordPress and its plugins. The vulnerability was published on August 2, 2025, and was reserved on July 15, 2025. No official patches have been linked yet, so mitigation currently relies on access control and monitoring measures.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites using the Woffice Core plugin for intranet, extranet, or collaboration platforms. The ability for an authenticated user with relatively low privileges to delete arbitrary files can lead to service disruption, data loss, and potential full system compromise via remote code execution. This can impact the integrity and availability of critical web services, potentially causing operational downtime and reputational damage. Given the widespread adoption of WordPress in Europe across various sectors including government, education, and private enterprises, the threat could affect a broad range of organizations. The medium CVSS score reflects the complexity of exploitation but does not diminish the potential for impactful attacks if exploited. The absence of known exploits in the wild suggests a window of opportunity for proactive defense. However, once exploited, the consequences could be severe, particularly for organizations with sensitive data or critical infrastructure hosted on vulnerable WordPress instances.

1. Immediate mitigation should include restricting Contributor-level and higher privileges to trusted users only, minimizing the attack surface. 2. Implement strict monitoring and logging of file deletion activities within the WordPress environment to detect suspicious behavior early. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the woffice_file_manager_delete() function. 4. Conduct a thorough audit of all WordPress plugins and remove or disable Woffice Core if not essential until an official patch is released. 5. Use file integrity monitoring tools to alert on unexpected deletions or modifications of critical files such as wp-config.php. 6. Segregate the WordPress environment with least privilege principles at the OS level to limit the impact of file deletions. 7. Prepare incident response plans specifically addressing potential file deletion and RCE scenarios related to this vulnerability. 8. Stay updated with vendor announcements for patches and apply them promptly once available.