CVE-2025-47535
📋 TL;DR
This path traversal vulnerability in the Opal Woo Custom Product Variation WordPress plugin allows attackers to delete arbitrary files on the server. It affects all WordPress sites using this plugin from any version up to and including 1.2.0. Attackers can exploit this to delete critical system files or website content.
💻 Affected Systems
- Opal Woo Custom Product Variation WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete website compromise through deletion of WordPress core files, configuration files, or operating system files, leading to site unavailability, data loss, or server takeover.
Likely Case
Website defacement or disruption through deletion of theme files, plugin files, or uploaded content, causing service interruption and potential data loss.
If Mitigated
Limited impact if file permissions are properly configured and web server runs with minimal privileges, though some website functionality may still be affected.
🎯 Exploit Status
The vulnerability is publicly documented with technical details, making exploitation straightforward for attackers with basic web security knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.2.0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Opal Woo Custom Product Variation'. 4. Click 'Update Now' if update is available. 5. If no update appears, deactivate and delete the plugin immediately.
🔧 Temporary Workarounds
Disable Plugin
allDeactivate the vulnerable plugin to prevent exploitation
wp plugin deactivate opal-woo-custom-product-variation
File Permission Hardening
linuxSet restrictive permissions on critical directories
chmod 755 wp-content
chmod 644 wp-config.php
chmod 755 wp-admin
chmod 755 wp-includes
🧯 If You Can't Patch
- Immediately deactivate and remove the Opal Woo Custom Product Variation plugin
- Implement web application firewall (WAF) rules to block path traversal patterns like '../' in requests
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Opal Woo Custom Product Variation' version 1.2.0 or earlierCheck Version:
wp plugin get opal-woo-custom-product-variation --field=versionVerify Fix Applied:
Verify plugin is either updated to version after 1.2.0 or completely removed from the plugins directory📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns to plugin endpoints
- File deletion errors in WordPress or web server logs
- 404 errors for suddenly missing files
Network Indicators:
- HTTP requests with path traversal sequences to /wp-content/plugins/opal-woo-custom-product-variation/ endpoints
SIEM Query:
source="web_server_logs" AND (uri="*../*" AND uri="*opal-woo-custom-product-variation*")