CVE-2025-13391 Overview
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress contains an authorization bypass vulnerability due to a missing capability check on the uni_cpo_remove_file function. This flaw allows unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known, resulting in unauthorized data loss.
Critical Impact
Unauthenticated attackers can exploit this vulnerability to delete arbitrary files, including WordPress attachments and Dropbox-stored files, without any authentication or authorization checks.
Affected Products
- Uni CPO (Premium) plugin for WordPress versions up to and including 4.9.60
- WooCommerce sites using the Product Options and Price Calculation Formulas plugin
- WordPress installations with Dropbox integration via Uni CPO
Discovery Timeline
- 2026-02-11 - CVE CVE-2025-13391 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2025-13391
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization). The core issue stems from the uni_cpo_remove_file function lacking proper capability checks to verify whether the requesting user has authorization to perform file deletion operations. Since no authentication is required to invoke this function, any external attacker with knowledge of target file paths can trigger file deletion.
The vulnerability has a network-based attack vector, meaning it can be exploited remotely without any user interaction. While the scope is changed (affecting resources beyond the vulnerable component), the primary impact is to data integrity through unauthorized file deletion. The vulnerability was only partially addressed in version 4.9.60, indicating residual risk may remain even after updating.
Root Cause
The root cause is a Missing Authorization vulnerability (CWE-862) in the plugin's file handling functionality. The uni_cpo_remove_file function was implemented without the necessary WordPress capability checks that would normally restrict file operations to authenticated administrators or users with appropriate permissions. This design flaw exposes the file deletion functionality to any unauthenticated request.
Attack Vector
The vulnerability is exploitable over the network by unauthenticated attackers. An attacker would need to discover or guess the file path of the target file they wish to delete. Once the path is known, the attacker can directly invoke the uni_cpo_remove_file function through WordPress AJAX handlers or other exposed endpoints to trigger the deletion. This attack requires no user interaction and can target both local WordPress attachments and files stored in connected Dropbox accounts.
The exploitation mechanism involves sending a crafted request to the vulnerable endpoint with the target file path as a parameter. Without authorization checks in place, the plugin processes the deletion request regardless of the requester's identity or permissions. For detailed technical information, see the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-13391
Indicators of Compromise
- Unexpected file deletions in WordPress media library or uploads directory
- Missing files from connected Dropbox storage that were previously accessible
- Unusual HTTP requests targeting uni_cpo_remove_file AJAX endpoints
- Access logs showing unauthenticated requests with file path parameters to Uni CPO endpoints
Detection Strategies
- Monitor WordPress AJAX request logs for calls to uni_cpo_remove_file from unauthenticated sessions
- Implement file integrity monitoring on WordPress uploads and attachment directories
- Deploy web application firewall (WAF) rules to detect and block suspicious file deletion requests
- Review server access logs for patterns of enumeration attempts against known file paths
Monitoring Recommendations
- Enable detailed logging for the Uni CPO plugin if available
- Set up alerts for unexpected bulk file deletions in the WordPress media library
- Monitor Dropbox activity logs for deletion events originating from the WordPress integration
- Implement real-time file system monitoring for critical attachment directories
How to Mitigate CVE-2025-13391
Immediate Actions Required
- Update the Uni CPO (Premium) plugin to the latest available version beyond 4.9.60
- Audit recent file deletion activity to identify potential exploitation attempts
- Temporarily disable the Uni CPO plugin if immediate patching is not possible
- Review and backup all critical files and attachments stored via the plugin
Patch Information
The vulnerability was partially patched in version 4.9.60 of the Uni CPO plugin. Organizations should check the Builderius CPO page for the latest security updates and ensure they are running a fully patched version. Given the partial nature of the initial fix, administrators should verify that their installed version includes complete remediation for the authorization bypass.
Workarounds
- Implement server-level access controls to restrict unauthenticated access to WordPress AJAX handlers
- Deploy a web application firewall (WAF) with rules to block requests containing file path parameters to the vulnerable endpoint
- Disable Dropbox integration temporarily if it is not business-critical
- Restrict access to the WordPress admin-ajax.php endpoint using IP allowlisting where feasible
# Example: Apache .htaccess rule to restrict admin-ajax.php access
<Files admin-ajax.php>
<RequireAny>
Require ip 192.168.1.0/24
Require ip 10.0.0.0/8
</RequireAny>
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
