CVE-2025-26933 Overview
CVE-2025-26933 is a PHP Local File Inclusion (LFI) vulnerability in the Nitin Prakash WC Place Order Without Payment plugin for WooCommerce. The flaw affects all versions up to and including 2.6.7. The plugin improperly controls filenames passed to PHP include or require statements, allowing attackers to load arbitrary local files into the PHP execution context. Successful exploitation can disclose sensitive configuration data, expose source code, or escalate to remote code execution when combined with file upload primitives. The issue is tracked under CWE-98.
Critical Impact
Attackers can include arbitrary local PHP files on vulnerable WordPress sites, potentially leading to full site compromise when chained with writable file primitives.
Affected Products
- Nitin Prakash WC Place Order Without Payment plugin for WooCommerce
- WordPress sites running wc-place-order-without-payment versions through 2.6.7
- WooCommerce installations using affected plugin versions
Discovery Timeline
- 2025-03-10 - CVE-2025-26933 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-26933
Vulnerability Analysis
The vulnerability resides in how the WC Place Order Without Payment plugin handles user-controllable input passed to PHP file inclusion functions. The plugin accepts filename parameters without sufficient validation or allowlisting before passing them to include or require statements. This category of weakness, classified as CWE-98, enables attackers to direct the PHP interpreter to load files outside the intended directory scope.
Exploitation requires user interaction, such as a privileged user clicking a crafted link, but does not require authentication. The attack complexity is elevated because the attacker must construct a valid request that traverses to a meaningful target file on the server.
Root Cause
The root cause is improper control of filenames used in PHP include or require statements. The plugin does not enforce a strict allowlist of permitted include targets and does not sanitize traversal sequences in user-supplied path parameters. As a result, input flows directly into a PHP file inclusion sink.
Attack Vector
An unauthenticated attacker delivers a crafted URL to a target user. When the request reaches the vulnerable endpoint, the plugin includes the attacker-specified path. Targets typically include WordPress configuration files such as wp-config.php, log files containing injected PHP, or uploaded media files renamed to .php. Chaining LFI with log poisoning or session file injection commonly produces remote code execution.
The vulnerability has an EPSS probability of 1.131% and a percentile of 78.4, indicating measurable interest among exploit developers. Refer to the Patchstack Vulnerability Advisory for additional context.
Detection Methods for CVE-2025-26933
Indicators of Compromise
- HTTP requests to plugin endpoints containing path traversal sequences such as ../ or encoded variants like %2e%2e%2f
- Access log entries referencing sensitive files including wp-config.php, /etc/passwd, or PHP session files via plugin parameters
- Unexpected PHP errors in web server logs referencing include() or require() failures from wc-place-order-without-payment paths
Detection Strategies
- Inspect WordPress access logs for query strings targeting the wc-place-order-without-payment plugin with filename or path parameters
- Deploy web application firewall rules that flag traversal patterns and known sensitive file targets in plugin requests
- Monitor PHP error logs for inclusion failures originating from the affected plugin directory
Monitoring Recommendations
- Enable file integrity monitoring on wp-content/plugins/wc-place-order-without-payment/ and core WordPress configuration files
- Forward web server and PHP error logs to a centralized SIEM for correlation against LFI signatures
- Alert on outbound connections from the web server process that may indicate post-exploitation tooling
How to Mitigate CVE-2025-26933
Immediate Actions Required
- Deactivate the WC Place Order Without Payment plugin until a patched version is installed
- Audit WordPress sites for the presence of wc-place-order-without-payment versions 2.6.7 or earlier
- Rotate WordPress secrets, database credentials, and API keys if exploitation is suspected
Patch Information
At the time of publication, no fixed version is referenced in the advisory. Administrators should monitor the Patchstack Vulnerability Advisory for updates from the plugin author and apply patches as soon as they are released.
Workarounds
- Restrict access to wp-admin and plugin endpoints via IP allowlisting at the web server or WAF tier
- Configure PHP open_basedir to limit which directories the interpreter can include from
- Disable execution of PHP within the WordPress uploads directory using web server configuration
# Example nginx rule blocking PHP execution in uploads
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
