CVE-2025-14301

Description

The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files.

PUBLISHED Reserved 2025-12-08 | Published 2026-01-14 | Updated 2026-01-15 | Assigner Wordfence

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Timeline

Credits

Muhammad Yudha - DJ finder

References

www.wordfence.com/...-1a26-4759-bca6-b5aaffa25af4?source=cve

plugins.trac.wordpress.org/...r/class-module-logger-hook.php

plugins.trac.wordpress.org/...r/class-module-logger-hook.php

plugins.trac.wordpress.org/...r/class-module-logger-hook.php

plugins.trac.wordpress.org/...r/class-module-logger-hook.php

cve.org (CVE-2025-14301)

nvd.nist.gov (CVE-2025-14301)

Download JSON