CVE-2025-14301
Published: 14 January 2026
Summary
CVE-2025-14301 is a critical-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user-supplied file paths in the wsaw-log[] POST parameter to block path traversal exploitation.
Enforces authentication and authorization prior to processing bulk file actions, preventing unauthenticated arbitrary file deletion or download.
Mandates timely identification, reporting, and patching of the path traversal flaw in the plugin to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public WordPress plugin enables remote unauthenticated file read (T1005), deletion (T1485), and direct exploitation of exposed app (T1190).
NVD Description
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path…
more
validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files.
Deeper analysisAI
The Integration Opvius AI for WooCommerce plugin for WordPress, in all versions up to and including 1.3.0, contains a path traversal vulnerability (CWE-22) stemming from the `process_table_bulk_actions()` function in the logger module. This function processes user-supplied file paths via the `wsaw-log[]` POST parameter without authentication checks, nonce verification, or path validation, enabling arbitrary file operations on the server. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-14.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity. By sending crafted POST requests with malicious paths in the `wsaw-log[]` parameter, they can delete critical files such as `wp-config.php` or download sensitive configuration files, potentially leading to full server compromise, data exfiltration, or denial of service.
Advisories and references, including Wordfence threat intelligence and WordPress plugin Trac browser links to the affected code in `class-module-logger-hook.php` (lines 25, 41, 79, and 160), highlight the lack of input sanitization in the bulk action handler. Security practitioners should review these sources for detailed code analysis and update to patched versions beyond 1.3.0 where available.
As an AI integration plugin for WooCommerce, this vulnerability underscores risks in third-party AI extensions for WordPress, though no real-world exploitation details are specified in available data.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai