Cyber Resilience

CVE-2025-5391

High

Published: 12 August 2025

Published
12 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0333 87.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5391 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function. The issue affects all versions up to and including 1.0.2 and is tracked as CWE-22 with a CVSS 3.1 score of 8.1.

Authenticated attackers with Subscriber-level access or higher can exploit the flaw over the network to delete arbitrary files on the server. Successful exploitation can readily result in remote code execution, for example by removing wp-config.php and triggering a reinstall or configuration exposure.

Public references point to a fix committed in changeset 3356360 on the WordPress plugin trac, along with source locations in class-bbpo-purchase-orders-files.php and class-bbpo-purchase-orders.php. The Wordfence advisory recommends that administrators apply the available update to close the path-traversal vector. The associated EPSS score has remained flat at 0.0333 with no material increase since disclosure.

EU & UK References

Vulnerability details

The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level…

more

access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1490 Inhibit System Recovery Impact
Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

Path traversal enables arbitrary file deletion (T1485/T1070.004) and site disruption via config deletion (T1490); RCE is indirect follow-on.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68862Shared CWE-22
CVE-2025-15589Shared CWE-22
CVE-2025-13377Shared CWE-22
CVE-2026-27040Shared CWE-22
CVE-2024-13897Shared CWE-22
CVE-2026-24135Shared CWE-22
CVE-2026-24969Shared CWE-22
CVE-2024-13910Shared CWE-22
CVE-2025-68907Shared CWE-22
CVE-2025-65879Shared CWE-22

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring validation of file path inputs to the delete_file() function, preventing arbitrary file deletion.

prevent

Requires identification, reporting, and correction of the specific flaw in file path validation within the WooCommerce Purchase Orders plugin, enabling timely patching.

prevent

Enforces least privilege to restrict Subscriber-level users from accessing file deletion functions that could target arbitrary server files like wp-config.php.

References