CVE-2025-14301

Summary

The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the process_table_bulk_actions() function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the wsaw-log[] POST parameter, which can be leveraged to delete critical files like wp-config.php or read sensitive configuration files.

Affected Software

VendorProductVersion RangeStatus
woosaaiIntegration Opvius AI for WooCommerce0 <= 1.3.0affected

Weaknesses

  • CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References