CVE-2025-7694 – The Woffice Core WordPress plugin allows authen... (How to Fix)

Q: What is the severity of CVE-2025-7694?

CVE-2025-7694 has a CVSS score of 6.8 (MEDIUM). The Woffice Core WordPress plugin allows authenticated attackers with Contributor-level access or higher to delete arbitrary server files due to insufficient path validation in the woffice_file_manager_delete() function. This vulnerability can lead to remote code execution by deleting critical files like wp-config.php, affecting all versions up to 5.4.26.

📋 TL;DR

The Woffice Core WordPress plugin allows authenticated attackers with Contributor-level access or higher to delete arbitrary server files due to insufficient path validation in the woffice_file_manager_delete() function. This vulnerability can lead to remote code execution by deleting critical files like wp-config.php, affecting all versions up to 5.4.26.

💻 Affected Systems

Products:

Woffice Core plugin for WordPress

Versions: All versions up to and including 5.4.26

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the plugin to be installed and active; Contributor-level or higher user access is needed for exploitation.

📦 What is this software?

Woffice by Xtendify

View all CVEs affecting Woffice →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full server compromise, data loss, or site defacement.

🟠

Likely Case

Unauthorized file deletion causing site disruption or data corruption.

🟢

If Mitigated

Limited impact if access controls restrict Contributor roles or file permissions are hardened.

🌐 Internet-Facing: HIGH, as WordPress sites are typically internet-facing and accessible to attackers.

🏢 Internal Only: MEDIUM, if internal users have Contributor access but external access is blocked.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access, but Contributor roles are commonly granted to untrusted users in some setups.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 5.4.26 (check vendor for exact version)

Vendor Advisory: https://hub.woffice.io/woffice/changelog

Restart Required: No

Instructions:

1. Update the Woffice Core plugin to the latest version via WordPress admin panel. 2. Verify the update by checking the plugin version in the installed plugins list.

🔧 Temporary Workarounds

Restrict User Roles

all

Limit Contributor-level access to trusted users only to reduce attack surface.

Disable Plugin

all

Temporarily deactivate the Woffice Core plugin if not essential, but this may break site functionality.

🧯 If You Can't Patch

Implement strict file permissions to protect critical files like wp-config.php from deletion.
Use a web application firewall (WAF) to block malicious requests targeting the vulnerable function.

🔍 How to Verify

Check if Vulnerable:

Check the plugin version in WordPress admin under Plugins > Installed Plugins; if version is 5.4.26 or lower, it is vulnerable.

Check Version:

wp plugin list --name=woffice-core --field=version (if WP-CLI is installed)

Verify Fix Applied:

After updating, confirm the plugin version is above 5.4.26 and test file deletion functionality with a safe test file.

📡 Detection & Monitoring

Log Indicators:

Unusual file deletion requests in WordPress or web server logs, especially from Contributor-level users.

Network Indicators:

HTTP POST requests to endpoints involving woffice_file_manager_delete with suspicious file paths.

SIEM Query:

Example: source="wordpress.log" AND "woffice_file_manager_delete" AND response_code=200

📊 Metadata

CVE ID: CVE-2025-7694

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

EPSS Score: 0.27% exploit probability (49.9th percentile)

Published: August 2, 2025

Last Updated: August 12, 2025

🔗 References

https://hub.woffice.io/woffice/changelog Release Notes
https://themeforest.net/item/woffice-intranetextranet-wordpress-theme/11671924 Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/41a362cf-e27e-436a-85f1-7c48e2e098eb?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7694, you might also want to check these: