Attack Vectors

CVE-2025-13391 affects the WordPress plugin Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) (slug: uni-woo-custom-product-options-premium) and is rated Medium severity (CVSS 5.8). In versions up to and including 4.9.60, an unauthenticated attacker may be able to trigger deletion of files if they can guess or obtain the file path.

From a business perspective, the most realistic scenarios involve opportunistic scanning of exposed WordPress sites, followed by targeted attempts to remove media assets (attachments) or connected files (such as Dropbox-hosted files) used in product pages, landing pages, and campaigns.

Security Weakness

The issue is described as a missing authorization check in the plugin function uni_cpo_remove_file. In plain terms, the plugin does not adequately verify that the person requesting a file removal is allowed to do so.

Wordfence reports that this can enable unauthenticated arbitrary attachment deletion and deletion of Dropbox-stored files if the path is known, and notes the issue was only partially patched in 4.9.60. The recommended remediation is to update to 4.9.61 or newer. Source: Wordfence vulnerability record. CVE record: CVE-2025-13391.

Technical or Business Impacts

Operational disruption: deleted product images, PDFs, design files, or configurable-option assets can break product pages and checkout experiences, directly impacting conversion rates and revenue.

Brand and campaign risk: missing media on high-visibility pages (homepages, paid landing pages, seasonal promotions) creates an immediate perception of unreliability and can waste paid media spend while teams scramble to restore assets.

Compliance and audit exposure: unexpected loss of records or customer-facing disclosures (policies, warranty documents, accessibility statements) can create governance issues, especially if your organization has change-control requirements or must demonstrate content integrity over time.

Recovery cost: even when backups exist, restoring media libraries and re-linking assets across pages, product templates, and marketing automation content can be time-consuming and costly, pulling teams away from growth initiatives.

Similar Attacks

Unauthorized actions in WordPress plugins (such as missing permission checks or unsafe file-handling) have repeatedly been used to disrupt sites, damage content, or enable deeper compromise. Examples include:

WP File Manager vulnerability and widespread exploitation (Wordfence)
RevSlider vulnerability leading to large-scale WordPress compromises (Sucuri)