Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach Store Exporter woocommerce-exporter allows PHP Local File Inclusion.This issue affects Store Exporter: from n/a through <= 2.7.6.
Published: 2025-11-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Store Exporter plugin processes filenames supplied to PHP include and require statements without proper validation, permitting an attacker to specify arbitrary local file paths. This flaw enables Local File Inclusion (LFI) that could expose sensitive configuration files or other server data. The vulnerability is classified as CWE-98. The description does not mention that executing included code is possible, but it is inferred that if an attacker could write a PHP file to a directory that the plugin includes, that file might execute.

Affected Systems

WordPress sites that have the Josh Kohlbach Store Exporter plugin installed, in any version up through 2.7.6, are affected. Site administrators should verify the plugin version and that the plugin resides in the standard wp‑content/plugins directory under the expected path.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity. The EPSS score of < 1 % reflects a low but non-zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to influence a file path parameter, typically through the plugin’s export interface or a crafted URL. The likely attack vector is client input to the plugin’s export module. An attacker who can supply a file path can read arbitrary files or, if file creation is possible, include a malicious PHP file that may execute.

Generated by OpenCVE AI on April 30, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Store Exporter plugin to a version higher than 2.7.6, which removes the vulnerable include handling logic.
  • If upgrading immediately is not possible, restrict the plugin’s include mechanism by adding a whitelist of permissible files or by removing the user‑supplied path entirely, ensuring only the plugin’s internal files are included.
  • Configure the web server or use .htaccess directives to deny read access to sensitive directories such as /wp-config.php, /php.ini, and system binaries, and prevent the application from including files from unintended locations.

Generated by OpenCVE AI on April 30, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach Store Exporter woocommerce-exporter allows PHP Local File Inclusion.This issue affects Store Exporter: from n/a through <= 2.7.6.
Title WordPress Store Exporter plugin <= 2.7.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:57.678Z

Reserved: 2025-09-25T15:28:42.279Z

Link: CVE-2025-60203

cve-icon Vulnrichment

Updated: 2025-11-06T17:36:55.438Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:05.860

Modified: 2026-04-27T16:16:33.483

Link: CVE-2025-60203

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:45:24Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')