Skip to main content

WooCommerce Store Toolkit CVE-2025-60204

HIGH
PHP Remote File Inclusion (CWE-98)
2025-11-06 audit@patchstack.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 24, 2026 - 00:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:16 nvd
HIGH 7.5

DescriptionCVE.org

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion.This issue affects WooCommerce Store Toolkit: from n/a through <= 2.4.3.

AnalysisAI

Local file inclusion in WooCommerce Store Toolkit plugin versions up to 2.4.3 allows network-based attackers to read arbitrary files from the WordPress server via improper filename control in PHP include/require statements. Despite network-based attack vector (AV:N), the vulnerability requires high attack complexity and user interaction (AC:H/UI:R), limiting exploitation scenarios. EPSS score of 0.08% (23rd percentile) suggests low likelihood of widespread exploitation in the wild. No CISA KEV listing or public POC identified at time of analysis, though Patchstack has documented the vulnerability.

Technical ContextAI

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement) in PHP code. The WooCommerce Store Toolkit WordPress plugin fails to properly sanitize user-controllable input used in PHP include() or require() statements, allowing path traversal sequences to reference local files outside the intended directory. Despite being categorized as PHP Remote File Inclusion in the description, the CVE ID and tags confirm this is actually Local File Inclusion (LFI). WordPress plugins are particularly susceptible to this class of vulnerability when processing user-supplied parameters for dynamic file inclusion without adequate validation or whitelisting. The affected plugin extends WooCommerce functionality for store management and toolkit operations.

Affected ProductsAI

WooCommerce Store Toolkit WordPress plugin versions from earliest release through 2.4.3 inclusive are confirmed vulnerable. This plugin by Josh Kohlbach provides store management and bulk operations functionality for WooCommerce-powered WordPress sites. The vulnerability affects all installations running version 2.4.3 or earlier. Patchstack has published vulnerability details at https://patchstack.com/database/Wordpress/Plugin/woocommerce-store-toolkit/vulnerability/wordpress-woocommerce-store-toolkit-plugin-2-4-3-local-file-inclusion-vulnerability.

RemediationAI

Update WooCommerce Store Toolkit to version 2.4.4 or later if available, per Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woocommerce-store-toolkit/vulnerability/wordpress-woocommerce-store-toolkit-plugin-2-4-3-local-file-inclusion-vulnerability. If patched version is not yet released or immediate update is not feasible, disable the WooCommerce Store Toolkit plugin entirely until patch availability is confirmed, trading toolkit functionality for security. Implement Web Application Firewall rules to block path traversal sequences in HTTP parameters (../, ..\, URL-encoded variants) targeting the plugin directory, though this provides incomplete protection as sophisticated attackers may bypass pattern matching. Restrict WordPress admin access to trusted IP ranges and enforce multi-factor authentication to reduce likelihood of successful social engineering required for UI:R component. Monitor WordPress file integrity and audit logs for unauthorized file access attempts to wp-config.php or other sensitive configuration files.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-60204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy