CVE-2025-13391

The Uni CPO Premium plugin for WooCommerce contains a missing capability check in the uni_cpo_remove_file function, present in versions up to and including 4.9.60. This function processes file deletion requests without verifying user permissions, violating WordPress authorization guidelines. [1]

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable endpoint. The only prerequisite is knowledge of the target file path, which can potentially be guessed or discovered via information disclosure. This allows the attacker to delete arbitrary attachments or files stored on the server, as well as files stored in Dropbox if the integration is enabled. [1]

Successful exploitation results in unauthorized deletion of files, leading to potential data loss, disruption of e-commerce operations, or defacement of the site. The impact is heightened if the attacker can delete critical files such as uploaded media, plugin configurations, or cached data.

The vendor released a partial patch in version 4.9.60. Users are strongly advised to update to the latest available version. If an update is not possible, implementing additional access controls or disabling the vulnerable function through custom code may mitigate the risk. [1]