CVE-2025-60241
📋 TL;DR
This CVE describes a PHP Local File Inclusion vulnerability in the Premmerce WordPress plugin. Attackers can include arbitrary local files from the server, potentially leading to sensitive information disclosure or code execution. All WordPress sites using vulnerable versions of the Premmerce plugin are affected.
💻 Affected Systems
- Premmerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and website defacement.
Likely Case
Sensitive file disclosure (configuration files, database credentials) and limited code execution.
If Mitigated
Limited impact if file permissions are restrictive and web server runs with minimal privileges.
🎯 Exploit Status
Exploitation is straightforward via crafted HTTP requests targeting vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.20 or later
Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/premmerce/vulnerability/wordpress-premmerce-plugin-1-3-19-local-file-inclusion-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Premmerce plugin and click 'Update Now'. 4. Verify update to version 1.3.20 or higher.
🔧 Temporary Workarounds
Disable Premmerce Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate premmerce
Restrict File Access
allConfigure web server to deny access to sensitive directories.
# Add to .htaccess for Apache:
<FilesMatch "\.(php|inc|conf|ini)$">
Order Allow,Deny
Deny from all
</FilesMatch>
# Add to nginx config:
location ~ \.(php|inc|conf|ini)$ {
deny all;
}
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block LFI patterns
- Restrict PHP file inclusion functions via php.ini (allow_url_include=Off, open_basedir restrictions)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Premmerce version. If version is 1.3.19 or lower, system is vulnerable.Check Version:
wp plugin get premmerce --field=versionVerify Fix Applied:
Confirm Premmerce plugin version is 1.3.20 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with suspicious parameters containing '..', '/etc/', or file paths
- PHP warnings about failed file inclusions
Network Indicators:
- Unusual GET/POST requests to Premmerce endpoints with file path parameters
SIEM Query:
source="web_access.log" AND (uri="*premmerce*" AND (param="*../*" OR param="*/etc/*" OR param="*php://*"))