CVE-2025-47535 Overview
CVE-2025-47535 is a path traversal vulnerability [CWE-22] in the wpopal Opal Woo Custom Product Variation WordPress plugin. The flaw affects all versions up to and including 1.2.0. An unauthenticated remote attacker can abuse improper pathname validation to delete arbitrary files on the underlying server. Deleting critical files such as wp-config.php can force WordPress into an installation state, enabling site takeover.
Critical Impact
Unauthenticated attackers can delete arbitrary files over the network without user interaction, leading to denial of service and potential WordPress site compromise.
Affected Products
- wpopal Opal Woo Custom Product Variation plugin for WordPress
- All versions through 1.2.0
- WordPress sites running WooCommerce with this plugin installed
Discovery Timeline
- 2025-05-23 - CVE-2025-47535 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-47535
Vulnerability Analysis
The vulnerability stems from improper limitation of a pathname to a restricted directory within the Opal Woo Custom Product Variation plugin. An attacker can supply crafted input containing directory traversal sequences such as ../ to escape the intended working directory. According to the Patchstack advisory, this enables arbitrary file deletion on the affected WordPress host.
The attack requires no authentication and no user interaction. The scope change indicates that successful exploitation impacts resources beyond the vulnerable plugin itself, affecting the broader WordPress installation. Although confidentiality and integrity are not directly impacted, the availability impact is high because deleted files cannot be recovered without backups.
Deleting wp-config.php is the typical exploitation path. WordPress treats the missing configuration file as a fresh install signal, allowing an attacker to reconnect the site to an attacker-controlled database and achieve full administrative access.
Root Cause
The plugin accepts a file path parameter from user input and passes it to a deletion routine without validating that the resolved path remains within an allowed directory. The code does not normalize the path or apply allowlist checks on file names or extensions.
Attack Vector
An unauthenticated attacker sends an HTTP request to a vulnerable plugin endpoint containing a traversal sequence in the targeted file parameter. The server resolves the path relative to the plugin directory and deletes the referenced file. The vulnerability mechanism is documented in the Patchstack WordPress Vulnerability Report.
Detection Methods for CVE-2025-47535
Indicators of Compromise
- HTTP requests to plugin endpoints under /wp-content/plugins/opal-woo-custom-product-variation/ containing ../ or URL-encoded %2e%2e%2f sequences
- Unexpected deletion of wp-config.php, .htaccess, or core WordPress files
- WordPress redirecting visitors to /wp-admin/install.php unexpectedly
- Web server error logs showing file-not-found errors for previously valid PHP files
Detection Strategies
- Monitor WordPress plugin directories for the presence of opal-woo-custom-product-variation at version <= 1.2.0
- Inspect web access logs for POST or GET parameters containing path traversal patterns directed at the plugin
- Implement file integrity monitoring on critical WordPress files including wp-config.php, index.php, and .htaccess
- Alert on sudden HTTP 500 responses or installation wizard redirects from production WordPress sites
Monitoring Recommendations
- Enable web application firewall logging with rules covering CWE-22 patterns
- Aggregate WordPress, PHP, and web server logs into a centralized analytics platform for correlation
- Track filesystem unlink() operations originating from PHP processes on the WordPress host
How to Mitigate CVE-2025-47535
Immediate Actions Required
- Disable or uninstall the Opal Woo Custom Product Variation plugin until a patched version is verified
- Back up wp-config.php, the WordPress database, and the wp-content directory before remediation
- Restrict access to the plugin's endpoints at the web server or WAF layer using path-based deny rules
- Audit the WordPress installation for unauthorized administrator accounts created after potential exploitation
Patch Information
At the time of publication, the Patchstack advisory documents the vulnerability through version 1.2.0. Site administrators should consult the Patchstack WordPress Vulnerability Report and the vendor for the latest patched release. If no fixed version is available, remove the plugin.
Workarounds
- Block requests containing traversal sequences (../, ..%2f, %2e%2e/) at the WAF or reverse proxy
- Apply strict filesystem permissions so the web server user cannot delete WordPress core files
- Use a virtual patching rule that denies access to the vulnerable plugin's AJAX or REST endpoints
# Nginx rule to block path traversal attempts against the plugin
location ~* /wp-content/plugins/opal-woo-custom-product-variation/ {
if ($args ~* "(\.\./|%2e%2e%2f|%2e%2e/)") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
