WooCommerce Store Toolkit CVE-2025-60204
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion.This issue affects WooCommerce Store Toolkit: from n/a through <= 2.4.3.
AnalysisAI
Local file inclusion in WooCommerce Store Toolkit plugin versions up to 2.4.3 allows network-based attackers to read arbitrary files from the WordPress server via improper filename control in PHP include/require statements. Despite network-based attack vector (AV:N), the vulnerability requires high attack complexity and user interaction (AC:H/UI:R), limiting exploitation scenarios. EPSS score of 0.08% (23rd percentile) suggests low likelihood of widespread exploitation in the wild. No CISA KEV listing or public POC identified at time of analysis, though Patchstack has documented the vulnerability.
Technical ContextAI
This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement) in PHP code. The WooCommerce Store Toolkit WordPress plugin fails to properly sanitize user-controllable input used in PHP include() or require() statements, allowing path traversal sequences to reference local files outside the intended directory. Despite being categorized as PHP Remote File Inclusion in the description, the CVE ID and tags confirm this is actually Local File Inclusion (LFI). WordPress plugins are particularly susceptible to this class of vulnerability when processing user-supplied parameters for dynamic file inclusion without adequate validation or whitelisting. The affected plugin extends WooCommerce functionality for store management and toolkit operations.
Affected ProductsAI
WooCommerce Store Toolkit WordPress plugin versions from earliest release through 2.4.3 inclusive are confirmed vulnerable. This plugin by Josh Kohlbach provides store management and bulk operations functionality for WooCommerce-powered WordPress sites. The vulnerability affects all installations running version 2.4.3 or earlier. Patchstack has published vulnerability details at https://patchstack.com/database/Wordpress/Plugin/woocommerce-store-toolkit/vulnerability/wordpress-woocommerce-store-toolkit-plugin-2-4-3-local-file-inclusion-vulnerability.
RemediationAI
Update WooCommerce Store Toolkit to version 2.4.4 or later if available, per Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woocommerce-store-toolkit/vulnerability/wordpress-woocommerce-store-toolkit-plugin-2-4-3-local-file-inclusion-vulnerability. If patched version is not yet released or immediate update is not feasible, disable the WooCommerce Store Toolkit plugin entirely until patch availability is confirmed, trading toolkit functionality for security. Implement Web Application Firewall rules to block path traversal sequences in HTTP parameters (../, ..\, URL-encoded variants) targeting the plugin directory, though this provides incomplete protection as sophisticated attackers may bypass pattern matching. Restrict WordPress admin access to trusted IP ranges and enforce multi-factor authentication to reduce likelihood of successful social engineering required for UI:R component. Monitor WordPress file integrity and audit logs for unauthorized file access attempts to wp-config.php or other sensitive configuration files.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today