WordPress Plugin Vulnerabilities

Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal

Description

The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files.

Affects Plugins

Plugin icon
woosa-ai-for-woocommerce
No known fix

References

CVE
CVE-2025-14301
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/34612902-1a26-4759-bca6-b5aaffa25af4

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Muhammad Yudha - DJ
Verified
No
WPVDB ID
230d2785-fdbd-4342-ae2a-031362f8f00b

Timeline

Publicly Published
2026-01-13 (about 2 months ago)
Added
2026-01-13 (about 2 months ago)
Last Updated
2026-01-14 (about 2 months ago)

Other

Published
Title
Published
2024-06-06
Title
Database Cleaner < 1.0.6 - Authenticated (Admin+) Arbitrary File Read
Published
2016-03-21
Title
ABtest - File Inclusion
Published
2025-06-27
Title
Plugin Inspector <= 1.5 - Authenticated (Admin+) Arbitrary File Download
Published
2024-04-26
Title
Spectra – WordPress Gutenberg Blocks < 2.12.7 - Contributor+ Path Traversal
Published
2025-03-29
Title
Smush Image Compression and Optimization < 3.17.1 - Admin+ Directory Traversal