How to fix EUVD-2025-17238?

Within 24 hours: Inventory all WordPress installations using WP Shopify and identify affected versions (≤1.5.3). Within 7 days: Disable the WP Shopify plugin on all affected systems or migrate to alternative solutions; implement WAF rules to block suspicious file inclusion patterns targeting the plugin. Within 30 days: Conduct file access audits to detect unauthorized access attempts; monitor for indicators of compromise such as unusual file reads from wp-config.php or other sensitive locations.

Is PHP affected by EUVD-2025-17238?

WP Shopify plugin versions up to 1.5.3 contain a local file inclusion vulnerability that could allow attackers to access sensitive files on affected WordPress installations.

EUVD-2025-17238

| CVE-2025-30999 HIGH

2025-06-06 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17238

CVE Published

Jun 06, 2025 - 13:15 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fahad Mahmood WP Shopify allows PHP Local File Inclusion. This issue affects WP Shopify: from n/a through 1.5.3.

Analysis

PHP Local File Inclusion (LFI) vulnerability in the WP Shopify plugin (versions up to 1.5.3) that allows authenticated attackers to include and execute arbitrary local files on the web server through improper control of filename parameters in PHP include/require statements. The vulnerability requires low-privilege user access (PR:L) and has moderate attack complexity (AC:H), but results in complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H), making it a significant risk for WordPress sites using this plugin.

Technical Context

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic PHP-specific weakness where user-controlled input is passed unsanitized to include(), require(), include_once(), or require_once() functions without proper validation or sanitization. The WP Shopify plugin fails to properly validate or restrict the filename parameter before using it in a PHP inclusion statement, enabling attackers to traverse the filesystem and include sensitive files (e.g., /etc/passwd, wp-config.php containing database credentials, or other plugin files). The CPE identifier would be: cpe:2.3:a:fahad_mahmood:wp_shopify:*:*:*:*:*:wordpress:*:* (versions 1.5.3 and below). This differs from RFI (Remote File Inclusion) in that it is restricted to local files accessible to the web server process, but the impact remains severe as WordPress installations typically contain sensitive configuration files.

Affected Products

WP Shopify (1.5.3 and earlier (all versions from initial release through 1.5.3))

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: 0

EUVD-2025-17238 vulnerability details – vuln.today

Back

EUVD-2025-17238

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-17238

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code