CVE-2025-32587 Overview
CVE-2025-32587 is a path traversal vulnerability in the WooCommerce Pickupp plugin for WordPress, developed by pickupp. The flaw allows attackers to perform PHP Local File Inclusion (LFI) by manipulating file path parameters that fail to properly restrict directory access. The vulnerability affects WooCommerce Pickupp versions up to and including 2.4.3. It is categorized under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory) and carries a network-based attack vector with no authentication required.
Critical Impact
Unauthenticated attackers can include arbitrary PHP files from the server, leading to information disclosure, code execution, and full compromise of the WordPress site.
Affected Products
- WooCommerce Pickupp WordPress plugin (wc-pickupp)
- All versions from initial release through 2.4.3
- WordPress sites running WooCommerce with the Pickupp integration enabled
Discovery Timeline
- 2025-04-11 - CVE-2025-32587 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-32587
Vulnerability Analysis
The WooCommerce Pickupp plugin fails to sanitize user-supplied input used in file inclusion operations. Attackers can supply traversal sequences such as ../ to escape the intended directory and reference arbitrary files on the host filesystem. Because the plugin processes these paths through PHP file inclusion functions, included files are interpreted as PHP code rather than served as static content.
This class of vulnerability, Local File Inclusion (LFI), commonly leads to disclosure of sensitive configuration files such as wp-config.php, exposure of credentials, and execution of attacker-controlled code when combined with file upload primitives or log poisoning techniques. The Exploit Prediction Scoring System assigns this issue an EPSS score reflecting moderate-but-not-imminent exploitation likelihood.
Root Cause
The root cause is insufficient validation of file path parameters passed to PHP include or require statements within the wc-pickupp plugin. The code accepts user-controllable input and concatenates it into a filesystem path without canonicalization, allowlist enforcement, or rejection of directory traversal sequences.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request to a vulnerable endpoint exposed by the plugin. The request includes a manipulated parameter containing path traversal sequences pointing to a target file on the server. The PHP interpreter resolves the path, loads the file, and executes any PHP contained within it. The high attack complexity reflects the need to identify a writable or attacker-controllable file to achieve code execution, though file disclosure alone is straightforward.
No verified public proof-of-concept code is available. Refer to the Patchstack WooCommerce Pickupp Plugin Vulnerability advisory for additional technical context.
Detection Methods for CVE-2025-32587
Indicators of Compromise
- HTTP requests to wc-pickupp plugin endpoints containing ../ or URL-encoded variants such as %2e%2e%2f in query parameters
- Web server access logs showing requests referencing sensitive files like wp-config.php, /etc/passwd, or PHP session files
- Unexpected PHP errors in logs referencing file inclusion failures from plugin directories
- New or modified PHP files in wp-content/uploads/ or other writable directories following suspicious requests
Detection Strategies
- Inspect WordPress and web server access logs for path traversal patterns directed at the wc-pickupp plugin path
- Deploy WordPress-aware web application firewall (WAF) rules that block directory traversal sequences in plugin parameters
- Monitor file integrity on the WordPress installation for unauthorized changes to PHP files
Monitoring Recommendations
- Enable PHP error and access logging with retention sufficient for incident review
- Alert on outbound network connections initiated by the PHP-FPM or web server process to unfamiliar destinations
- Correlate plugin endpoint access with subsequent administrative actions or file changes on the host
How to Mitigate CVE-2025-32587
Immediate Actions Required
- Update the WooCommerce Pickupp plugin to a version higher than 2.4.3 as soon as a patched release is available from the vendor
- If no patched version is available, deactivate and remove the wc-pickupp plugin until a fix is published
- Audit web server and PHP logs for prior exploitation attempts referencing the plugin
- Rotate any credentials, API keys, or salts stored in wp-config.php if exploitation is suspected
Patch Information
Review the Patchstack advisory for current patch availability and vendor remediation guidance. Versions through 2.4.3 remain vulnerable.
Workarounds
- Restrict access to the plugin's vulnerable endpoints using web server rules or WAF policies until patching is possible
- Apply PHP open_basedir restrictions to confine file inclusion to the WordPress document root
- Disable allow_url_include in php.ini to limit inclusion to local files only and reduce RFI escalation risk
- Run WordPress under a least-privilege filesystem user that cannot read sensitive system files
# Example php.ini hardening to reduce LFI impact
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
