CVE-2025-7694 is a path traversal vulnerability classified under CWE-22 affecting the Woffice Core plugin for WordPress. This vulnerability arises from insufficient validation of file paths in the woffice_file_manager_delete() function, present in all versions up to and including 5.4.26. Authenticated attackers with Contributor-level access or higher can exploit this flaw to delete arbitrary files on the server. The lack of proper pathname restrictions allows attackers to traverse directories and specify files outside the intended directory scope. By deleting critical files such as wp-config.php, attackers can disrupt the WordPress installation, potentially leading to remote code execution or complete site compromise. The vulnerability has a CVSS 3.1 base score of 6.8, indicating a medium severity level. The attack vector is network-based, requiring low privileges (Contributor role), no user interaction, and has a high impact on integrity and availability but no direct confidentiality impact. No known exploits are currently reported in the wild, and no patches have been released at the time of this report. The vulnerability is significant because WordPress is widely used, and Woffice Core is a popular plugin for intranet and extranet sites, making affected installations attractive targets for attackers aiming to disrupt business operations or gain further access.

For European organizations, this vulnerability poses a considerable risk, especially for those relying on WordPress with the Woffice Core plugin for internal collaboration or client-facing portals. Successful exploitation can lead to deletion of critical files, causing service outages, data loss, and potential escalation to remote code execution, which can compromise entire web servers. This can disrupt business continuity, damage reputation, and lead to regulatory non-compliance under GDPR if personal data is affected or availability is impacted. Organizations in sectors such as finance, healthcare, education, and government, which often use WordPress-based intranet solutions, may face heightened risks. The requirement for only Contributor-level access lowers the barrier for insider threats or compromised accounts to exploit this vulnerability, increasing the attack surface. Additionally, the lack of patches means organizations must rely on mitigation until an official fix is available.

European organizations should immediately audit their WordPress installations to identify the presence of the Woffice Core plugin and verify the version in use. Until a patch is released, the following specific mitigations are recommended: 1) Restrict Contributor-level access strictly to trusted users and review user permissions to minimize the number of users with such privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious file deletion requests or path traversal patterns targeting the woffice_file_manager_delete() endpoint. 3) Employ file integrity monitoring to detect unauthorized deletions or modifications of critical files such as wp-config.php. 4) Regularly back up WordPress files and databases to enable rapid restoration in case of file deletion. 5) Consider temporarily disabling or removing the Woffice Core plugin if it is not essential. 6) Monitor logs for unusual activity related to file deletions or Contributor account actions. 7) Prepare to apply patches promptly once released by the vendor. These targeted steps go beyond generic advice by focusing on access control, detection, and recovery specific to this vulnerability's exploitation vector.