CVE-2025-4564

Name of the Vulnerable Software and Affected Versions: TicketBAI Facturas para WooCommerce plugin for WordPress versions up to, and including, 3.18

Description: The issue concerns arbitrary file deletion due to insufficient file path validation via the 'delpdf' action. This allows unauthenticated attackers to delete arbitrary files on the server, potentially leading to remote code execution when critical files, such as wp-config.php, are deleted.

Recommendations: For versions up to, and including, 3.18, consider disabling the 'delpdf' action as a temporary workaround until a patch is available. Restrict access to sensitive files to minimize the risk of exploitation. Avoid using the 'delpdf' action in the affected plugin until the issue is resolved. Update to a version later than 3.18 once available to fully resolve the issue.