CVE-2025-4564 Overview
The TicketBAI Facturas para WooCommerce plugin for WordPress contains a critical arbitrary file deletion vulnerability caused by insufficient file path validation in the delpdf action. This flaw affects all versions up to and including 3.18, allowing unauthenticated attackers to delete arbitrary files on the server. When critical files such as wp-config.php are deleted, this can directly lead to remote code execution, making this vulnerability particularly dangerous for WordPress sites using this plugin.
Critical Impact
Unauthenticated attackers can delete arbitrary files on the server, potentially leading to remote code execution when critical WordPress configuration files are removed.
Affected Products
- TicketBAI Facturas para WooCommerce plugin versions up to and including 3.18
- WordPress installations using the vulnerable plugin versions
- WooCommerce-enabled sites with TicketBAI invoice functionality
Discovery Timeline
- 2025-05-15 - CVE CVE-2025-4564 published to NVD
- 2025-05-16 - Last updated in NVD database
Technical Details for CVE-2025-4564
Vulnerability Analysis
This vulnerability stems from a classic path traversal weakness (CWE-22) in the file deletion functionality of the TicketBAI Facturas para WooCommerce plugin. The delpdf action, designed to allow deletion of PDF invoice files, fails to properly validate and sanitize the file path parameter before processing deletion requests.
The vulnerability is particularly severe because it requires no authentication to exploit. An attacker can craft malicious requests targeting the vulnerable endpoint and specify arbitrary file paths using directory traversal sequences (e.g., ../) to escape the intended directory and delete any file accessible to the web server process.
The most devastating attack scenario involves deleting wp-config.php, which contains the WordPress database credentials and security keys. Once this file is removed, WordPress enters a reinstallation state, allowing attackers to potentially reconfigure the site with their own database and gain complete control.
Root Cause
The root cause of this vulnerability is insufficient input validation in the file path handling logic within the delpdf action handler located in wp-ticketbai.php. The plugin fails to implement proper path canonicalization and boundary checking, allowing user-supplied input containing directory traversal sequences to reference files outside the intended PDF storage directory.
Specifically, the vulnerability occurs because:
- The file path parameter is accepted directly from user input without sanitization
- No validation ensures the target file resides within the expected plugin directory
- The deletion operation executes without verifying the file type or location
Attack Vector
This vulnerability can be exploited remotely over the network without any authentication or user interaction. An attacker can send specially crafted HTTP requests to the vulnerable WordPress endpoint, including the delpdf action parameter with a malicious file path.
The attack flow typically involves:
- Identifying WordPress sites running the vulnerable TicketBAI plugin
- Crafting a request to the plugin's action handler with path traversal sequences
- Targeting critical files such as wp-config.php, .htaccess, or other essential WordPress files
- Achieving denial of service or setting up conditions for remote code execution
Since no code examples are available from verified sources, administrators should review the WordPress Plugin Source Code and the WordPress Changeset Update for detailed technical analysis of the vulnerable code and the applied fix.
Detection Methods for CVE-2025-4564
Indicators of Compromise
- Unexpected HTTP requests to WordPress containing delpdf action parameters with directory traversal sequences (../)
- Missing critical WordPress files such as wp-config.php, .htaccess, or plugin files
- Web server error logs showing file not found errors for core WordPress configuration files
- Unexpected WordPress reinstallation prompts indicating configuration file deletion
Detection Strategies
- Monitor web server access logs for requests containing delpdf action with suspicious path patterns
- Implement file integrity monitoring to detect unauthorized deletion of WordPress core files
- Deploy Web Application Firewall (WAF) rules to block path traversal attempts targeting WordPress plugins
- Use security plugins that monitor and alert on changes to critical WordPress files
Monitoring Recommendations
- Enable detailed logging for all WordPress plugin actions and file operations
- Configure real-time alerts for any modifications or deletions of wp-config.php and other critical files
- Implement network-level monitoring for suspicious patterns targeting WordPress installations
- Regularly audit installed plugins for known vulnerabilities using WordPress security scanners
How to Mitigate CVE-2025-4564
Immediate Actions Required
- Update the TicketBAI Facturas para WooCommerce plugin to a version newer than 3.18 immediately
- If unable to update, temporarily disable or remove the vulnerable plugin from all WordPress installations
- Implement WAF rules to block requests containing path traversal sequences targeting the delpdf action
- Verify the integrity of all WordPress core files and restore any that may have been deleted
Patch Information
A security patch has been released to address this vulnerability. The fix can be reviewed in the WordPress Changeset Update. Administrators should update to the latest version of the plugin available in the WordPress plugin repository. Additional details about the vulnerability are available in the Wordfence Vulnerability Report.
Workarounds
- Disable the TicketBAI Facturas para WooCommerce plugin until an update can be applied
- Implement server-level restrictions to block direct access to plugin action handlers
- Use .htaccess or web server configuration to deny requests containing path traversal patterns
- Deploy a Web Application Firewall with rules specifically targeting arbitrary file deletion attempts
# Example .htaccess rule to block path traversal attempts
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
RewriteCond %{QUERY_STRING} (delpdf.*\.\.) [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
