A high-severity vulnerability has been identified in the WooCommerce Store Toolkit plugin, which allows an attacker to access and potentially execute sensitive files on the web server. Successful exploitation could lead to the exposure of confidential data, such as database credentials, or a complete compromise of the affected website. Organizations are urged to apply the vendor-provided security patch immediately to mitigate this risk.

The vulnerability is a Local File Inclusion (LFI) flaw. It exists because the application uses user-supplied input to construct a file path for a PHP include or require statement without proper validation. An attacker can exploit this by manipulating the input with directory traversal sequences (e.g., ../) to force the application to include and execute arbitrary PHP files already on the server or to read the contents of sensitive system files, such as wp-config.php or /etc/passwd.

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation could have a significant business impact, including the theft of sensitive data like customer information and database credentials, leading to a major data breach. An attacker could also leverage this flaw to gain further access, deface the website, or execute malicious code, potentially resulting in a full server compromise. The consequences include financial loss, reputational damage, and potential regulatory penalties.

Immediate Action: Apply the security updates provided by the vendor, Josh Kohlbach, immediately. This is the most effective way to eliminate the vulnerability. After patching, review web server access logs and system logs for any signs of exploitation that may have occurred prior to remediation.

Proactive Monitoring: Security teams should monitor web server logs for suspicious requests containing directory traversal patterns (../), null bytes (%00), and attempts to access common sensitive files (e.g., wp-config.php, /etc/shadow, .env). Monitor for unexpected file modifications on the server or the creation of new, unauthorized files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks. Additionally, harden server file permissions to ensure the web server process has read/write access only to the directories it absolutely requires, limiting the impact of a potential breach.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for complete system compromise, organizations must treat this vulnerability with high priority. The recommended course of action is to apply the vendor-supplied patch across all affected systems without delay. Although this CVE is not currently on the CISA KEV list, the ease of exploitation for LFI vulnerabilities warrants immediate attention to prevent future compromise. Security teams should confirm the patch has been successfully deployed and continue to monitor for any related indicators of attack.