CVE-2025-7694

Medium CVSS: 6.8

The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and including, 5.4.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Vendor

Xtendify

Product

Woffice

CWE

CWE-22

Yayın Tarihi

2025-08-02 04:15:37

Güncelleme

2025-08-12 17:49:17

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-22 Woffice MEDIUM Xtendify 2025

Referanslar

https://hub.woffice.io/woffice/changelog https://themeforest.net/item/woffice-intranetextranet-wordpress-theme/11671924 https://www.wordfence.com/threat-intel/vulnerabilities/id/41a362cf-e27e-436a-85f1-7c48e2e098eb?source=cve

Benzer Kayıtlar

Critical

CVE-2025-2798

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21.…

Medium

CVE-2025-2797

The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including,…

High

CVE-2025-2780

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing…