Home

Description

The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server.

PUBLISHED Reserved 2025-11-06 | Published 2025-12-12 | Updated 2025-12-12 | Assigner WPScan

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
affected

Any version
affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/1650ddac-04c7-47fa-b03e-bd0338243fcc/ exploit vdb-entry technical-description

cve.org (CVE-2025-12835)

nvd.nist.gov (CVE-2025-12835)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.