Primary

Context

Woffice Core WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Woffice Core plugin for WordPress, affecting all versions through 5.4.26. The issue arises from inadequate file path validation in the 'woffice_file_manager_delete()' function. This vulnerability enables authenticated attackers with Contributor-level access or higher to delete arbitrary files on the server. Exploiting this flaw could lead to remote code execution, particularly if sensitive files like 'wp-config.php' are targeted.

Impact

Successful exploitation allows authenticated users with Contributor-level access or higher to delete arbitrary files on the server. This could result in remote code execution if a critical file is removed.

Remediation

Users are advised to update the Woffice Core plugin to version 5.4.27 or later.

Added: Aug 2, 2025, 4:18 AM

Updated: Aug 2, 2025, 4:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Woffice Core WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating