Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Path Traversal.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
Published: 2025-06-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper limitation of a pathname to a restricted directory in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light enables attackers to request files outside the webroot, resulting in arbitrary file download. The vulnerability permits the disclosure of sensitive files such as configuration, credentials, or database dumps, potentially leading to confidentiality compromises and further attacks if the downloaded data is exploited.

Affected Systems

The plugin owned by Holest Engineering named Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light, in all releases from its introduction through version 2.4.37, is affected. This includes deployments on WordPress sites using the plugin for WooCommerce or WP‑E‑commerce. No information is provided about earlier or later versions, so versions beyond 2.4.37 are assumed to be unimpacted.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as high severity, while the EPSS score of less than 1% suggests that, at present, exploitation attempts are rare. The vulnerability is not listed in CISA KEV, indicating no known widespread exploitation. The attack vector is inferred to be remote via the web application; an attacker can craft a URL that includes a traversal sequence to request arbitrary files from the server. While no code execution is required, the ability to read arbitrary files can serve as a stepping stone toward more serious compromises.

Generated by OpenCVE AI on April 30, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version 2.4.38 or newer
  • If upgrading is not immediately possible, delete or disable the Spreadsheet Price Changer plugin to eliminate the vulnerability
  • Configure web server access controls (e.g., .htaccess rules) to deny external download of sensitive files from the WordPress/root directories

Generated by OpenCVE AI on April 30, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17526 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Path Traversal. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Path Traversal. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows Path Traversal.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.
Title WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Arbitrary File Download Vulnerability WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin <= 2.4.37 - Arbitrary File Download Vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00057}

 epss

{'score': 0.00062}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Path Traversal. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37.
Title WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Arbitrary File Download Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:51.886Z

Reserved: 2025-05-15T18:01:28.792Z

Link: CVE-2025-48124

cve-icon Vulnrichment

Updated: 2025-06-10T13:41:09.999Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:42.693

Modified: 2026-04-23T15:30:50.343

Link: CVE-2025-48124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses