CVE-2025-47535 HIGH

CVE-2025-47535: WordPress Opal Woo Custom Product Variation plugin <= 1.2.0 - Arbitrary File Deletion Vulnerability

Vendor Wpopal
Product Opal Woo Custom Product Variation
Weakness CWE-22 · Path traversal
Published May 23, 2025
Last update April 28, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpopal Opal Woo Custom Product Variation opal-woo-custom-product-variation allows Path Traversal.This issue affects Opal Woo Custom Product Variation: from n/a through <= 1.2.0.

Explanation of Vulnerability in Simple Terms

02Summary

Opal Woo Custom Product Variation versions up to 1.2.0 contain a path traversal vulnerability that allows an unauthenticated attacker to cause a denial of service by making the site unresponsive or unavailable. The vulnerability requires no user interaction and can be exploited over the network. No code execution or data theft is possible through this flaw.

What an attacker can do

03Attacker Capabilities

Make your site unavailable or unresponsive by exploiting a path traversal flaw.

Potential impact on your site

04Site Impact

Your site may become unavailable or slow during an attack; no data breach or code execution risk.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 23, 2025 CVE published
April 28, 2026 Record updated