CVE-2025-39378
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin versions up to 2.4.37, potentially leading to sensitive file disclosure or code execution.
💻 Affected Systems
- Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, sensitive configuration file disclosure (database credentials, API keys), and complete site takeover.
Likely Case
Sensitive file disclosure (wp-config.php, /etc/passwd), limited code execution through log poisoning or PHP wrapper abuse, and potential privilege escalation.
If Mitigated
Limited impact with proper file permissions, disabled PHP wrappers, and restricted web server access to sensitive directories.
🎯 Exploit Status
Local File Inclusion vulnerabilities are commonly exploited. Public proof-of-concept exists on Patchstack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.38 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light'. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.4.38+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
Restrict PHP file functions
linuxDisable dangerous PHP functions via php.ini
disable_functions = allow_url_fopen,allow_url_include
🧯 If You Can't Patch
- Remove plugin completely from production
- Implement web application firewall with LFI protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for 'Spreadsheet Price Changer' version 2.4.37 or earlierCheck Version:
wp plugin get excel-like-price-change-for-woocommerce-and-wp-e-commerce-light --field=versionVerify Fix Applied:
Verify plugin version is 2.4.38 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in PHP error logs
- Multiple requests with '../' patterns
- Access to sensitive files like wp-config.php
Network Indicators:
- HTTP requests with file inclusion parameters
- Unusual file extensions in URLs
SIEM Query:
source="*access.log*" AND ("../" OR "/etc/" OR "wp-config") AND status=200