Skip to main content
CVE Vulnerability Database

CVE-2025-7694: Woffice Path Traversal Vulnerability

CVE-2025-7694 is a path traversal flaw in Xtendify Woffice Core plugin for WordPress that allows authenticated attackers to delete arbitrary files, potentially leading to remote code execution. This post covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-7694 Overview

CVE-2025-7694 is an arbitrary file deletion vulnerability in the Woffice Core plugin for WordPress, developed by Xtendify. The flaw resides in the woffice_file_manager_delete() function, which fails to validate user-supplied file paths. All plugin versions up to and including 5.4.26 are affected. Authenticated users with Contributor-level access or higher can delete arbitrary files on the underlying server. Deletion of sensitive files such as wp-config.php can lead to remote code execution by forcing the site into a fresh-install state controlled by the attacker. The weakness is tracked as [CWE-22] Path Traversal.

Critical Impact

Contributor-level attackers can delete arbitrary server files, including wp-config.php, enabling site takeover and remote code execution.

Affected Products

  • Xtendify Woffice Core plugin for WordPress
  • All versions up to and including 5.4.26
  • WordPress sites using the Woffice intranet/extranet theme

Discovery Timeline

  • 2025-08-02 - CVE-2025-7694 published to NVD
  • 2025-08-12 - Last updated in NVD database

Technical Details for CVE-2025-7694

Vulnerability Analysis

The vulnerability stems from insufficient validation of file path parameters passed to the woffice_file_manager_delete() function. The function accepts a user-controlled path and invokes file deletion routines without canonicalizing or restricting the path to an allowed directory. Authenticated users with Contributor role or higher can supply traversal sequences such as ../ to escape the intended file manager scope. The attack is conducted over the network through standard WordPress request handlers. Successful exploitation breaks the confidentiality, integrity, and availability of files accessible to the PHP process user.

Root Cause

The root cause is missing path sanitization in woffice_file_manager_delete(). The function does not enforce a base directory boundary, does not resolve symbolic links, and does not reject .. segments before passing the path to the filesystem deletion call. This is a classic [CWE-22] Path Traversal weakness, where trusted input handling assumes contributors will only target file manager assets.

Attack Vector

An attacker first obtains Contributor-level access, either through registration on sites that allow it or by compromising an existing low-privilege account. The attacker then issues an authenticated request to the Woffice file manager deletion endpoint with a crafted path parameter targeting files outside the file manager root. Deleting wp-config.php causes WordPress to enter setup mode on the next request, allowing the attacker to point the site at an attacker-controlled database and achieve code execution through the installer. Other high-value targets include plugin and theme integrity files and .htaccess.

No public proof-of-concept code is available. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-7694

Indicators of Compromise

  • Missing or recently deleted wp-config.php, .htaccess, or core WordPress files on Woffice-enabled hosts
  • WordPress unexpectedly redirecting to /wp-admin/install.php on subsequent visits
  • Authenticated POST requests to Woffice file manager endpoints originating from Contributor or Author accounts
  • Filesystem audit log entries showing unlink() activity on paths outside the Woffice uploads directory

Detection Strategies

  • Monitor web access logs for requests invoking the Woffice file manager delete action with path parameters containing ../ or absolute paths.
  • Alert on any deletion of wp-config.php, .htaccess, or files under wp-includes/ and wp-admin/ on production WordPress hosts.
  • Correlate low-privilege account activity with file deletion events using filesystem auditing tools such as auditd or inotifywait.

Monitoring Recommendations

  • Enable PHP error logging and capture failed file_exists checks following file manager requests.
  • Track creation of new Contributor or Author accounts followed by file manager API calls within a short interval.
  • Forward WordPress and webserver logs to a centralized analytics platform for path-traversal pattern matching.

How to Mitigate CVE-2025-7694

Immediate Actions Required

  • Update the Woffice Core plugin to a version later than 5.4.26 as soon as the vendor publishes a fixed release.
  • Audit all WordPress accounts and remove unused Contributor, Author, and Editor roles.
  • Disable open user registration on sites that do not require it to limit access to the vulnerable code path.
  • Back up wp-config.php and place file integrity monitoring on WordPress core files.

Patch Information

Review the Woffice Changelog for the latest plugin release and confirm that the patched version addresses the woffice_file_manager_delete() path validation issue. Apply the update across all environments where the Woffice theme or Core plugin is deployed. Refer to the ThemeForest Item Details page for licensed update access.

Workarounds

  • Restrict file manager capabilities to administrators only by removing the relevant capability from Contributor and Author roles using a custom add_role() adjustment.
  • Deploy a web application firewall rule that blocks requests containing ../ sequences in Woffice file manager parameters.
  • Set the PHP process user to read-only on wp-config.php where the hosting environment allows immutable file flags.
bash
# Example WAF rule pattern (ModSecurity) to block traversal in Woffice deletion requests
SecRule REQUEST_URI "@contains woffice_file_manager_delete" \
  "chain,id:1007694,phase:2,deny,status:403,msg:'CVE-2025-7694 path traversal attempt'"
  SecRule ARGS "@rx (\.\./|\.\.\\)" "t:none,t:urlDecode"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.