A high-severity vulnerability has been identified in multiple Premmerce products, specifically the Premmerce Wholesale Pricing for WooCommerce plugin. This flaw allows an attacker to trick the application into accessing and displaying the contents of sensitive files on the server. Successful exploitation could lead to the exposure of confidential data, such as configuration details and user credentials, potentially enabling further unauthorized access to the system.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from an improper control of a filename used in a PHP include() or require() statement. The application fails to properly sanitize user-supplied input that is used to construct a file path. An unauthenticated remote attacker can exploit this by manipulating input parameters with directory traversal sequences (e.g., ../) to navigate the server's file system and include arbitrary files. This could allow the attacker to read sensitive files like wp-config.php (containing database credentials), /etc/passwd, or other system and application files, leading to significant information disclosure.

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation could have a significant negative impact on the business by leading to the compromise of sensitive data, including customer information, intellectual property, and system credentials. This data breach could result in direct financial loss, severe reputational damage, and potential regulatory penalties for non-compliance with data protection standards. If the attacker can leverage this LFI to achieve code execution, they could gain complete control over the web server, disrupting business operations and enabling further attacks against the internal network.

Immediate Action: Organizations must apply the security updates provided by the vendor to all affected systems immediately. Before deployment to production, patches should be tested in a staging environment to ensure compatibility and stability. Following the update, it is crucial to monitor for any signs of exploitation attempts and to conduct a thorough review of historical access logs for indicators of compromise.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2f, ..\) in URL parameters associated with the affected plugin. Monitor for unusual read attempts on sensitive system files by the web server process. Implementing file integrity monitoring can help detect unauthorized changes to critical application files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks. Additionally, harden the web server's file permissions to restrict the web server user's access to only necessary files and directories, limiting the impact of a potential breach. Ensure PHP configurations are hardened, for example, by disabling allow_url_include.

Public Exploit Available: false

Given the high CVSS score of 7.5 and the potential for sensitive data exposure and server compromise, this vulnerability presents a significant risk. We strongly recommend that organizations identify all instances of the affected Premmerce software and prioritize the immediate application of vendor-supplied security patches. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants urgent attention. Proactive monitoring for exploitation attempts should be implemented concurrently to detect and respond to any malicious activity targeting this flaw.