A high-severity vulnerability has been identified in the Premmerce Product Search for WooCommerce plugin. This flaw, known as a Local File Inclusion, could allow an unauthenticated attacker to read sensitive files from the underlying web server, such as configuration files containing database credentials. Successful exploitation could lead to a significant data breach and further system compromise.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from an improper control of filenames used in PHP's include or require statements. An attacker can exploit this by crafting a special request that manipulates an input parameter to specify a file path on the server. This forces the application to include and potentially execute or display the contents of arbitrary local files, such as wp-config.php (containing database credentials) or system files like /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have a severe business impact, primarily affecting data confidentiality and system integrity. An attacker could exfiltrate sensitive information, including database credentials, API keys, and other application secrets stored on the server. This could lead to a full database compromise, unauthorized access to customer data, reputational damage, regulatory fines, and provide a foothold for attackers to escalate their privileges and move laterally across the network.

Immediate Action: Identify all websites using the vulnerable "Premmerce Product Search for WooCommerce" plugin and apply the security updates provided by the vendor immediately. After patching, review web server access logs for any signs of exploitation that may have occurred prior to the update.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious requests targeting the vulnerable plugin. Look for log entries containing path traversal sequences (e.g., ../, ..\/) or attempts to access common sensitive files like wp-config.php, .env, or /etc/passwd. Monitor for unusual PHP errors in logs, which could indicate failed inclusion attempts.

Compensating Controls: If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules designed to detect and block LFI and path traversal attack patterns. As a temporary measure, disabling the vulnerable plugin can also remove the immediate attack vector until a patch can be applied. Restricting the web server's file permissions can also limit the impact by preventing it from accessing sensitive files outside of its root directory.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for sensitive data exposure, it is critical that organizations prioritize the remediation of this vulnerability. We strongly recommend immediately applying the vendor-supplied security patch to all instances of the affected plugin. Although this vulnerability is not currently listed on the CISA KEV catalog, its impact is significant, and proactive patching is the most effective defense against potential future exploitation.