What the vulnerability does
01Description
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.
Explanation of Vulnerability in Simple Terms
02Summary
The Uni CPO plugin for WooCommerce does not properly check user permissions before allowing modifications to product options and pricing formulas. An unauthenticated attacker can modify product prices or options without authorization. The vulnerability affects all versions up to 4.9.60. Site owners should update to a version newer than 4.9.60 when available.
What an attacker can do
03Attacker Capabilities
Modify product prices, options, or pricing formulas without logging in.
Potential impact on your site
04Site Impact
Product prices and options can be altered by anyone, potentially causing revenue loss or customer confusion.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 11, 2026
CVE published
April 8, 2026
Record updated