Description
Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 4.9.9.
Published: 2025-05-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Open Close WooCommerce Store plugin contains a path traversal flaw (CWE-35) that allows local file inclusion via crafted '../' sequences in its file path handling. With this vulnerability, an attacker can cause the server to read arbitrary local files. One inferred consequence of this is that if the attacker can point the inclusion to a file that contains PHP code, that code could be executed on the server. The description does not explicitly state code execution, so this impact is inferred from the nature of LFI vulnerabilities.

Affected Systems

StackWC provides the Open Close WooCommerce Store plugin for WordPress. Versions up to and including 4.9.9 are affected. No more specific version list is given, so any installation of 4.9.9 or an earlier release is considered vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. The EPSS score of less than 1% suggests that at present there is a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker may craft an HTTP request that contains path traversal fragments to influence the plugin's file path logic and trigger the LFI. This inference is based on the vulnerability description.

Generated by OpenCVE AI on May 1, 2026 at 08:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of the plugin, which removes the path traversal flaw.
  • If an upgrade is not immediately possible, configure the web server or a web application firewall to reject requests containing '/../' or similar path traversal patterns.
  • Limit the plugin’s use to trusted administrators and disable any public endpoints that expose its file handling functions.

Generated by OpenCVE AI on May 1, 2026 at 08:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-13743 Path Traversal vulnerability in ilmosys Open Close WooCommerce Store allows PHP Local File Inclusion. This issue affects Open Close WooCommerce Store: from n/a through 4.9.5.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 5.0.0. Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 4.9.9.
Title WordPress Open Close WooCommerce Store plugin <= 5.0.0 - Local File Inclusion vulnerability WordPress Open Close WooCommerce Store plugin <= 4.9.9 - Local File Inclusion vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 4.9.9. Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 5.0.0.
Title WordPress Open Close WooCommerce Store plugin <= 4.9.9 - Local File Inclusion vulnerability WordPress Open Close WooCommerce Store plugin <= 5.0.0 - Local File Inclusion vulnerability
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in ilmosys Open Close WooCommerce Store allows PHP Local File Inclusion. This issue affects Open Close WooCommerce Store: from n/a through 4.9.5. Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 4.9.9.
Title WordPress Open Close WooCommerce Store <= 4.9.5 - Local File Inclusion Vulnerability WordPress Open Close WooCommerce Store plugin <= 4.9.9 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0006}

 epss

{'score': 0.00069}

Wed, 07 May 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 May 2025 14:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in ilmosys Open Close WooCommerce Store allows PHP Local File Inclusion. This issue affects Open Close WooCommerce Store: from n/a through 4.9.5.
Title WordPress Open Close WooCommerce Store <= 4.9.5 - Local File Inclusion Vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:47.937Z

Reserved: 2025-05-07T10:45:13.129Z

Link: CVE-2025-47649

cve-icon Vulnrichment

Updated: 2025-05-07T20:40:06.616Z

cve-icon NVD

Status : Deferred

Published: 2025-05-07T15:16:17.727

Modified: 2026-04-28T19:32:30.883

Link: CVE-2025-47649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:45:06Z

Weaknesses