How ZeroPath Works
Back to Blog

WooCommerce Purchase Orders CVE-2025-5391 Arbitrary File Deletion Vulnerability: Brief Summary and Technical Review

A brief summary and technical review of CVE-2025-5391, a high-severity arbitrary file deletion vulnerability in the WooCommerce Purchase Orders plugin for WordPress. This post covers affected versions, technical root cause, detection methods, and vendor security history.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-11

WooCommerce Purchase Orders CVE-2025-5391 Arbitrary File Deletion Vulnerability: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Deleting a single configuration file can hand over control of an entire WordPress site to an attacker. The WooCommerce Purchase Orders plugin, widely used for business-to-business workflows in the WordPress ecosystem, is vulnerable to a high-severity arbitrary file deletion flaw tracked as CVE-2025-5391. This issue allows any authenticated user with subscriber-level access or higher to delete files anywhere on the server, including critical files like wp-config.php, potentially leading to full site compromise.

Brief on Involved Software: WooCommerce is one of the most widely adopted e-commerce platforms for WordPress, powering millions of online stores globally. The WooCommerce Purchase Orders plugin is a third-party extension designed to facilitate purchase order workflows for businesses. Vulnerabilities in such plugins can have significant downstream impact due to their integration with payment and order processing systems.

Technical Information

The vulnerability is rooted in the delete_file() function within class-bbpo-purchase-orders-files.php of the WooCommerce Purchase Orders plugin. The function is intended to handle deletion of files related to purchase orders but fails to adequately validate user-supplied file paths. Specifically, it does not properly sanitize input, allowing path traversal sequences (such as ../) to escape the intended directory and target arbitrary files on the server filesystem.

Key technical points:

  • The flaw affects all versions up to and including 1.0.2 of the plugin.
  • Any authenticated user with subscriber-level access or higher can exploit the vulnerability.
  • Attackers can craft requests that include directory traversal patterns in the file path parameter, enabling deletion of files outside the plugin's directory.
  • Deleting wp-config.php or similar critical files can trigger WordPress installation routines, which attackers can hijack to gain administrative access.
  • The vulnerability is categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

Vulnerable code location:

  • class-bbpo-purchase-orders-files.php (source)
  • class-bbpo-purchase-orders.php (source)

Detection Methods

Detecting unauthorized file deletion vulnerabilities, such as the one in the WooCommerce Purchase Orders plugin, involves monitoring for specific indicators and implementing proactive measures:

Log Analysis:

  • File Deletion Logs: Regularly review server and application logs for unexpected file deletion events, especially those initiated by users with subscriber-level access.
  • Access Patterns: Monitor for unusual access patterns, such as multiple deletion requests from a single user or IP address, which may indicate exploitation attempts.

User Activity Monitoring:

  • Permission Audits: Conduct periodic audits of user permissions to ensure that subscribers do not have the capability to delete critical files.
  • Behavioral Anomalies: Implement monitoring tools to detect anomalous behaviors, such as subscribers attempting to perform administrative actions.

File Integrity Checks:

  • Integrity Monitoring: Deploy file integrity monitoring systems to detect unauthorized changes or deletions of critical files.
  • Automated Alerts: Set up automated alerts to notify administrators of any unauthorized file deletion attempts.

Security Plugins and Tools:

  • Web Application Firewalls (WAFs): Utilize WAFs to block malicious requests that attempt to exploit file deletion vulnerabilities.
  • Security Plugins: Install reputable security plugins that offer real-time monitoring and protection against unauthorized actions.

Regular Updates and Patching:

  • Software Updates: Ensure that all plugins, themes, and the WordPress core are updated to their latest versions to mitigate known vulnerabilities.
  • Vulnerability Scanning: Perform regular vulnerability scans to identify and address potential security issues promptly.

By implementing these detection methods, administrators can proactively identify and mitigate risks associated with unauthorized file deletion vulnerabilities.

Source: Wordfence Threat Intelligence

Affected Systems and Versions

  • WooCommerce Purchase Orders plugin for WordPress
  • All versions up to and including 1.0.2
  • Any WordPress installation with this plugin enabled is vulnerable if users with subscriber-level access or higher are present

Vendor Security History

WooCommerce and its ecosystem have experienced several critical vulnerabilities in both core and extension plugins. Notable incidents include:

  • July 2021: Critical vulnerability in WooCommerce core prompted automatic security updates across over 90 releases (source).
  • 2018: File deletion flaw in WooCommerce core allowed privilege escalation via log deletion (source).

These incidents highlight recurring challenges with secure file handling and access control in the WooCommerce and WordPress plugin ecosystem.

References

Detect & fix
what others miss

Get startedBook a demo