CVE-2025-31411
Linet ERP-Woocommerce Integration <= 3.5.12 - Authenticated (Admin+) Arbitrary File Read & Deletion
highImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
7.2
CVSS Score
7.2
CVSS Score
high
Severity
3.6.0
Patched in
35d
Time to patch
Description
The Linet ERP-Woocommerce Integration Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Attackers can leverage the same functionality to read arbitrary files on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<=3.5.12PublishedApril 10, 2025
Last updatedMay 14, 2025
Affected pluginlinet-erp-woocommerce-integration
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.