CVE-2025-13088
📋 TL;DR
The Category and Product Woocommerce Tabs WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with contributor-level access or higher to include and execute arbitrary PHP files on the server. This affects all versions up to and including 1.0 due to insufficient input validation on the 'template' parameter.
💻 Affected Systems
- Category and Product Woocommerce Tabs WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data theft, ransomware deployment, or complete site takeover through remote code execution.
Likely Case
Unauthorized file access, sensitive data exposure, and potential backdoor installation for persistent access.
If Mitigated
Limited impact if proper access controls and file permissions restrict PHP execution in sensitive directories.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: None available
Vendor Advisory: https://plugins.trac.wordpress.org/browser/category-and-product-woocommerce-tabs/tags/1.0/include/wccategorytab.php#L108
Restart Required: No
Instructions:
1. Remove the plugin immediately. 2. Check for any unauthorized files or backdoors. 3. Consider alternative tab plugins.
🔧 Temporary Workarounds
Remove vulnerable plugin
allCompletely uninstall the Category and Product Woocommerce Tabs plugin
wp plugin deactivate category-and-product-woocommerce-tabs
wp plugin delete category-and-product-woocommerce-tabs
Restrict file permissions
linuxSet strict file permissions to prevent PHP execution in uploads and other directories
find /path/to/wordpress -type f -name '*.php' -exec chmod 644 {} \;
find /path/to/wordpress -type d -exec chmod 755 {} \;
🧯 If You Can't Patch
- Remove contributor and author roles from untrusted users
- Implement web application firewall rules to block LFI patterns
🔍 How to Verify
Check if Vulnerable:
Check if plugin 'category-and-product-woocommerce-tabs' is installed and version is 1.0 or lowerCheck Version:
wp plugin get category-and-product-woocommerce-tabs --field=versionVerify Fix Applied:
Confirm plugin is no longer installed or active in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual file include requests with 'template' parameter
- PHP execution from unexpected directories
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- HTTP requests with suspicious file paths in parameters
- Outbound connections from web server to unknown destinations
SIEM Query:
source="web_logs" AND (uri="*template=*" OR uri="*php*" OR uri="*../*")