CVE-2025-13391 in Product Options and Price Calculation Formulas for WooCommerce Plugin
Summary
by MITRE • 02/11/2026
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability identified as CVE-2025-13391 affects the Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin, which is a popular extension for WordPress e-commerce platforms. This plugin enables merchants to create custom product options and price calculation formulas for their WooCommerce stores. The flaw resides in the 'uni_cpo_remove_file' function that handles file deletion operations within the plugin's functionality. The vulnerability represents a critical security gap that undermines the integrity of file management operations within the WordPress ecosystem.
The technical implementation of this vulnerability stems from a missing capability check within the plugin's file removal function. Specifically, the 'uni_cpo_remove_file' function does not properly validate user permissions before executing file deletion operations. This absence of authentication verification creates a path for unauthorized actors to manipulate file systems through crafted requests. The vulnerability is particularly concerning because it allows unauthenticated attackers to delete arbitrary files stored in Dropbox, provided they know the specific file paths. This represents a direct violation of access control mechanisms that should normally require administrative privileges or proper authentication before file modification operations can occur.
The operational impact of this vulnerability extends beyond simple data loss, as it creates potential for broader system compromise and business disruption. Attackers can leverage this flaw to remove critical product images, configuration files, or other attachments that are essential for store operations. The ability to delete files from Dropbox storage systems amplifies the damage potential, as it can affect not only local WordPress installations but also cloud-based storage that may contain sensitive business data. This vulnerability directly violates the principle of least privilege and can lead to complete service disruption if critical files are removed, potentially causing significant financial losses and reputational damage to affected businesses.
The remediation strategy for this vulnerability requires immediate action from affected merchants to upgrade to a patched version of the Uni CPO plugin. However, given that the vulnerability was only partially patched in version 4.9.60, organizations should verify the complete implementation of security controls in their updated installations. System administrators should conduct thorough security audits of their WordPress environments to identify any other potential access control vulnerabilities. The vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle that file operations should require appropriate authentication and authorization checks. From an attack perspective, this vulnerability would likely map to ATT&CK technique T1486 (Data Encrypted for Ransom) or T1070 (Indicator Removal on Host) depending on the attacker's objectives, as it enables unauthorized file deletion that could be part of broader malicious activities.
Organizations should implement additional defensive measures including monitoring for unauthorized file deletion activities, restricting file system permissions for WordPress upload directories, and conducting regular security assessments of all installed plugins. The vulnerability demonstrates the importance of proper input validation and access control implementation in web applications, particularly in e-commerce platforms where file management operations are frequent and critical to business operations. Regular security updates and patch management processes become essential for maintaining the integrity of WordPress installations and protecting against similar vulnerabilities in third-party plugins that may not receive timely security updates from their developers.