CVE-2025-5391

High

Published: 12 August 2025

Published

12 August 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0127 79.6th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5391 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data Destruction (T1485) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the path traversal vulnerability by requiring validation of file path inputs to the delete_file() function, preventing arbitrary file deletion.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific flaw in file path validation within the WooCommerce Purchase Orders plugin, enabling timely patching.

AC-6 Least Privilege good match

prevent

Enforces least privilege to restrict Subscriber-level users from accessing file deletion functions that could target arbitrary server files like wp-config.php.

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1490 Inhibit System Recovery Impact

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.

attack.mitre.org →

T1070.004 File Deletion Stealth

Adversaries may delete files left behind by the actions of their intrusion activity.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary file deletion (T1485/T1070.004) and site disruption via config deletion (T1490); RCE is indirect follow-on.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level…

access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Deeper analysisAI

CVE-2025-5391 is a path traversal vulnerability (CWE-22) in the WooCommerce Purchase Orders plugin for WordPress, affecting all versions up to and including 1.0.2. The issue stems from insufficient file path validation in the delete_file() function within class-bbpo-purchase-orders-files.php, enabling arbitrary file deletion on the server. Rated at CVSS 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), it was published on 2025-08-12.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By manipulating file paths, they can delete any file on the server, such as wp-config.php, potentially leading to remote code execution through site compromise or denial of service.

Mitigation details are outlined in WordPress plugin advisories, including the Wordfence threat intelligence report and plugin trac references. A patch addressing the validation flaw is available in changeset 3356360, which security practitioners should apply by updating to a fixed version of the plugin beyond 1.0.2. Source code diffs at the referenced lines in class-bbpo-purchase-orders-files.php and class-bbpo-purchase-orders.php confirm the remediation.