CVE-2025-12835

The WooMulti WordPress plugin through version 1.7 contains a vulnerability that allows authenticated users to delete arbitrary files on the server. The root cause is the lack of validation on a file parameter when the plugin processes file deletion requests [1]. This means the plugin does not check whether the file being deleted is within an allowed scope or belongs to the current user.

An attacker needs only a valid account on the WordPress site, such as a subscriber-level account, to exploit this flaw. The attacker can craft a request to the vulnerable endpoint, specifying the path to any file on the server that the web server user has permission to delete [1]. No additional privileges or special conditions are required beyond authentication.

Successful exploitation allows an attacker to delete arbitrary files, which could include critical WordPress configuration files (e.g., wp-config.php), uploaded media, plugin files, or other sensitive data. This can lead to a denial of service, site defacement, or further compromise depending on which files are removed [1].

As of the latest advisory, no fix is available for this vulnerability. The plugin is affected up to version 1.7, and users are advised to remove or replace the plugin until a patched version is released [1].