CVE-2025-47535: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-47535 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability affecting the Opal Woo Custom Product Variation WordPress plugin versions through 1.2.0. The vulnerability was discovered and reported on April 29, 2025, and was publicly disclosed on May 12, 2025 (Patchstack).

The vulnerability is classified as a Path Traversal issue that allows for arbitrary file deletion. It has received a CVSS v3.1 base score of 8.6 HIGH with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability requires no authentication to exploit and has been categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

This vulnerability could allow a malicious actor to delete files from the affected website. If core files are deleted, it could cause the site to break and stop functioning. The high CVSS score of 8.6 indicates that this vulnerability is highly dangerous and is expected to become mass exploited (Patchstack).

The vulnerability has been fixed in version 1.2.1 of the Opal Woo Custom Product Variation plugin. Users are strongly advised to update to version 1.2.1 or later immediately. For users of Patchstack security services, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update can be applied (Patchstack).