Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows PHP Local File Inclusion.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.4.
Published: 2025-11-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Premmerce Product Search for WooCommerce suffers from an improper control of filenames used in include/require statements, enabling a local file inclusion flaw. An attacker that can influence the filename passed to the PHP include may read arbitrary files on the web server, potentially exposing configuration data or credentials. If the application later executes the included file, remote code execution could also be achieved, especially if an attacker can upload or craft a PHP file accessible via the inclusion path.

Affected Systems

The vulnerability affects the Premmerce Product Search for WooCommerce plugin for WordPress, specifically all releases from its inception up through version 2.2.4. Users employing any of these plugin versions remain at risk.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high impact when exploited, and the EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in CISA KEV, but the potential for local file read and remote code execution warrants prudent action. Attackers can trigger the inclusion by manipulating request parameters within the plugin’s search interface, typically from a web-accessible location.

Generated by OpenCVE AI on April 30, 2026 at 05:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Premmerce Product Search for WooCommerce to version 2.2.5 or later to ensure the local file inclusion fix is applied.
  • Apply PHP configuration restrictions (e.g., open_basedir, disable_functions, safe_mode) to prevent arbitrary file inclusion on the server.
  • Implement input validation on the search query parameters to reject suspicious or path‑traversal characters before they reach the plugin code.

Generated by OpenCVE AI on April 30, 2026 at 05:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 07 Nov 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Premmerce
Premmerce product Search For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Premmerce
Premmerce product Search For Woocommerce
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows PHP Local File Inclusion.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.4.
Title WordPress Premmerce Product Search for WooCommerce plugin <= 2.2.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Premmerce Product Search For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:57.032Z

Reserved: 2025-09-25T15:28:34.981Z

Link: CVE-2025-60194

cve-icon Vulnrichment

Updated: 2025-11-06T20:01:52.922Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:04.510

Modified: 2026-04-27T17:16:28.937

Link: CVE-2025-60194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses