A high-severity vulnerability has been identified in multiple Premmerce products, specifically affecting the Premmerce Wishlist for WooCommerce plugin. This flaw, a Local File Inclusion, could allow an unauthenticated attacker to read sensitive files from the underlying server, such as configuration files containing database credentials. Successful exploitation could lead to a significant data breach and further compromise of the web application and server.

The vulnerability is a Local File Inclusion (LFI) resulting from an improper control of a filename used in a PHP include or require statement. An attacker can exploit this by sending a specially crafted request to the web server that includes path traversal sequences (e.g., ../) or absolute file paths. The vulnerable application code fails to properly sanitize this input, causing it to include and potentially display the contents of arbitrary files from the server's local file system that are readable by the web server process, such as wp-config.php or /etc/passwd.

This is a high-severity vulnerability with a CVSS score of 7.5. Exploitation can lead to the disclosure of highly sensitive information, including database credentials, application source code, and system configuration files. This information leak can serve as a stepping stone for more severe attacks, such as complete database compromise, administrative account takeover, or full system control. The potential business impact includes significant data breaches, reputational damage, loss of customer trust, and potential regulatory fines.

Immediate Action: Apply the security updates provided by Premmerce to all affected products immediately. Patches can typically be applied through the WordPress administration dashboard. After patching, it is critical to review web server access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests targeting the vulnerable plugin's endpoints. Look for suspicious patterns in request parameters, such as directory traversal characters (../, ..\/), absolute file paths (e.g., /etc/passwd), or PHP wrappers like php://filter. Implement alerts within a Security Information and Event Management (SIEM) or a Web Application Firewall (WAF) to detect and block these malicious patterns.

Compensating Controls: If immediate patching is not feasible, consider the following compensating controls:

• Deploy a WAF with rulesets specifically designed to detect and block LFI and path traversal attacks.
• Temporarily disable the vulnerable Premmerce plugin until a patch can be applied and tested.
• Harden the web server's file permissions to ensure the web server process has read access only to the files it absolutely requires.
• Review and harden the PHP configuration (e.g., open_basedir) to restrict the locations from which PHP can access files.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and its potential for exposing critical server data, we strongly recommend that organizations apply the vendor-supplied patches as an immediate priority. Although this CVE is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its impact on widely-used WooCommerce environments makes it a significant risk. A proactive patching and monitoring stance is essential to prevent a potential compromise.