CVE-2025-60194
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Premmerce Product Search for WooCommerce plugin, potentially leading to sensitive information disclosure or code execution. All users running vulnerable versions of this plugin are affected.
💻 Affected Systems
- Premmerce Product Search for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, sensitive file disclosure (including configuration files with database credentials), and complete site takeover.
Likely Case
Sensitive information disclosure including WordPress configuration files, database credentials, and other local files accessible to the web server user.
If Mitigated
Limited impact if proper file permissions restrict web server user access to sensitive files and security controls monitor for suspicious file inclusion attempts.
🎯 Exploit Status
Exploitation is straightforward as it involves manipulating file inclusion parameters. Public proof-of-concept exists in vulnerability databases.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.2.5 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Premmerce Product Search for WooCommerce'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.2.5+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Premmerce Product Search plugin until patched
wp plugin deactivate premmerce-search
Restrict PHP file functions
allUse PHP configuration to disable dangerous functions
Add to php.ini: disable_functions = include, require, include_once, require_once
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block file inclusion patterns
- Restrict web server user permissions to limit file system access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Premmerce Product Search for WooCommerce version. If version is 2.2.4 or lower, you are vulnerable.Check Version:
wp plugin get premmerce-search --field=versionVerify Fix Applied:
Verify plugin version is 2.2.5 or higher in WordPress admin panel. Test file inclusion attempts should fail.📡 Detection & Monitoring
Log Indicators:
- Unusual file paths in PHP error logs
- Multiple failed include/require attempts
- Requests with ../ patterns or absolute paths
Network Indicators:
- HTTP requests containing file inclusion parameters with path traversal sequences
- Unusual file extensions in URL parameters
SIEM Query:
source="*access.log*" AND ("premmerce-search" OR "premmerce_product_search") AND (".." OR "include" OR "require" OR "/etc/" OR "/proc/")