Overview
A high-severity Local File Inclusion (LFI) vulnerability has been discovered in the Category and Product Woocommerce Tabs plugin for WordPress. This vulnerability, identified as CVE-2025-13088, affects all versions of the plugin up to and including version 1.0. Successful exploitation of this vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server, potentially leading to complete system compromise.
Technical Details
The vulnerability lies in the categoryProductTab() function within the plugin’s code. Specifically, the ‘template’ parameter lacks sufficient input validation. An attacker can manipulate this parameter to include arbitrary local files on the server. The insecure code can be found in the include/wccategorytab.php file. By crafting a malicious request with a specially crafted ‘template’ parameter, an attacker can include and execute arbitrary PHP code, allowing them to gain control of the WordPress installation.
The vulnerable code snippet is related to how the plugin handles template inclusions based on user-supplied parameters. The lack of proper sanitization of the `template` parameter allows attackers to inject arbitrary file paths, leading to the Local File Inclusion vulnerability.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 8.8, indicating a high level of severity. The CVSS vector is likely something like AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning:
- AV:N (Attack Vector: Network) – The vulnerability is exploitable over the network.
- AC:L (Attack Complexity: Low) – Exploitation requires little to no special access or conditions.
- PR:L (Privileges Required: Low) – An attacker needs low-level privileges (e.g., Contributor role) to exploit the vulnerability.
- UI:N (User Interaction: None) – No user interaction is required to exploit the vulnerability.
- S:U (Scope: Unchanged) – The vulnerability’s impact is limited to the vulnerable component.
- C:H (Confidentiality: High) – There is a high impact to confidentiality.
- I:H (Integrity: High) – There is a high impact to integrity.
- A:H (Availability: High) – There is a high impact to availability.
Possible Impact
Exploitation of this LFI vulnerability can have severe consequences, including:
- Complete System Compromise: Attackers can execute arbitrary code on the server, potentially gaining full control of the WordPress installation and the underlying system.
- Data Breach: Sensitive data stored in the WordPress database or on the server’s file system can be accessed and stolen.
- Website Defacement: Attackers can modify the website’s content, inject malicious code, or redirect users to malicious websites.
- Denial of Service (DoS): Attackers can disrupt the website’s availability by crashing the server or consuming its resources.
Mitigation and Patch Steps
Unfortunately, since the description indicates the vulnerability exists up to and including version 1.0, and there is no mention of a newer patched version, the only immediate mitigation strategy is to completely remove the “Category and Product Woocommerce Tabs” plugin from your WordPress installation. This will eliminate the vulnerable code and prevent potential exploitation.
Monitor the WordPress plugin repository and the plugin developer’s website for updates. If a patched version becomes available, update the plugin immediately after verifying its authenticity and security.
In the meantime, consider using alternative plugins with similar functionality and a proven track record of security and timely updates.
