Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows PHP Local File Inclusion.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
Published: 2025-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename in a PHP include/require statement within the Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin. Because user input can influence the filename, an attacker can provoke the plugin to read arbitrary files or execute code, a flaw classified as CWE‑98. The ability to read local files or run malicious code can lead to full compromise of the WordPress instance and any data stored on the server.

Affected Systems

This issue affects the Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin, for all released versions up to and including 2.4.37. The plugin operates in WordPress installations that use WooCommerce or WP E-commerce, and no other vendors or products are listed as impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, classified as high severity, though its EPSS score is below 1% indicating low current exploitation likelihood. It is not listed in CISA’s KEV catalog. The likely attack vector involves an attacker sending crafted requests to the plugin’s file inclusion logic, possibly exploiting authenticated access or simply manipulating visitor input; success would allow reading sensitive local files or executing PHP code, potentially giving control over the web server.

Generated by OpenCVE AI on April 30, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to a version newer than 2.4.37 as soon as it is available.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to eliminate the vulnerability.
  • Configure PHP to disallow URL inclusion by setting allow_url_include to Off, enable open_basedir to restrict file access, and validate any inclusion paths.
  • Implement web‑application firewall rules that block requests containing patterns such as "../" or null‑byte injections to mitigate local file inclusion attempts.

Generated by OpenCVE AI on April 30, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12071 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows PHP Local File Inclusion. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows PHP Local File Inclusion. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows PHP Local File Inclusion.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows PHP Local File Inclusion. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
Title WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin <= 2.4.37 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:29.761Z

Reserved: 2025-04-16T06:22:35.636Z

Link: CVE-2025-39378

cve-icon Vulnrichment

Updated: 2025-04-24T19:53:04.022Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:31.157

Modified: 2026-04-23T15:29:26.587

Link: CVE-2025-39378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses