Primary

Context

WooCommerce Uni CPO Missing Authorization Vulnerability Allows Unauthenticated File Deletion

Vulnerability

A vulnerability in the Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress, in versions through 4.9.60, allows unauthenticated users to delete arbitrary attachments or files from Dropbox, provided the file path is known. This issue arises from a missing capability check in the 'uni_cpo_remove_file' function, leading to unauthorized data loss. While the vulnerability was partially addressed in version 4.9.60, it remains a concern for users of earlier versions.

Impact

Exploitation of this vulnerability could result in unauthorized deletion of files or attachments, particularly those stored in Dropbox.

Remediation

Users are advised to update to version 4.9.61 or a newer patched version.

Added: Feb 11, 2026, 6:11 PM

Updated: Feb 11, 2026, 6:11 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WooCommerce Uni CPO Missing Authorization Vulnerability Allows Unauthenticated File Deletion

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating