Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Wholesale Pricing for WooCommerce premmerce-woocommerce-wholesale-pricing allows PHP Local File Inclusion.This issue affects Premmerce Wholesale Pricing for WooCommerce: from n/a through <= 1.1.10.
Published: 2025-11-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local file inclusion flaw caused by improper control of filename in an include/require statement within the Premmerce Wholesale Pricing for WooCommerce plugin. It permits attackers to include arbitrary files from the local server, which may lead to disclosure of sensitive data or the execution of malicious code if a writable directory is involved. This flaw falls under CWE‑98.

Affected Systems

Affected systems are WordPress installations that use the Premmerce Wholesale Pricing for WooCommerce plugin version 1.1.10 or older. The vulnerability applies to all releases from the initial version up through 1.1.10.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, but the EPSS score of less than 1% suggests that real‑world exploitation is currently unlikely. The plugin is not listed in the CISA KEV catalog, and no public exploit has been reported at this time. Nonetheless, because the flaw allows arbitrary local file access, the attack vector is likely a crafted HTTP request that causes the plugin to include a file specified in a query parameter or form field. Immediate patching is advised to eliminate this risk.

Generated by OpenCVE AI on April 29, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Premmerce Wholesale Pricing for WooCommerce plugin to the latest available version (≥ 1.1.11) or apply any vendor‑supplied patch addressing the filename control issue.
  • If an upgrade is not immediately possible, temporarily disable the plugin or remove it from the WordPress installation until a fix is applied.
  • Implement or strengthen web application firewall rules to block requests that attempt to manipulate file inclusion parameters and to log potential LFI attempts for further analysis.
  • Regularly review server access logs for suspicious include attempts and ensure file permissions on the WordPress root and plugin directories are appropriately restrictive.

Generated by OpenCVE AI on April 29, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Premmerce
Premmerce wholesale Pricing For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Premmerce
Premmerce wholesale Pricing For Woocommerce
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Wholesale Pricing for WooCommerce premmerce-woocommerce-wholesale-pricing allows PHP Local File Inclusion.This issue affects Premmerce Wholesale Pricing for WooCommerce: from n/a through <= 1.1.10.
Title WordPress Premmerce Wholesale Pricing for WooCommerce plugin <= 1.1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Premmerce Wholesale Pricing For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:57.079Z

Reserved: 2025-09-25T15:28:34.981Z

Link: CVE-2025-60192

cve-icon Vulnrichment

Updated: 2025-11-06T19:56:40.348Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:04.233

Modified: 2026-04-27T17:16:28.713

Link: CVE-2025-60192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:15:23Z

Weaknesses