CVE-2025-39364 Overview
CVE-2025-39364 is a PHP Local File Inclusion (LFI) vulnerability in the PluginEver Product Category Slider for WooCommerce WordPress plugin. The flaw stems from improper control of filenames passed to PHP include or require statements [CWE-98]. Authenticated attackers can manipulate file path parameters to load arbitrary local PHP files within the web server context. Successful exploitation can disclose sensitive configuration data, execute attacker-controlled PHP files already present on disk, and compromise the hosting WordPress installation. All versions of the woo-category-slider-by-pluginever plugin up to and including 4.3.4 are affected.
Critical Impact
An authenticated attacker can include arbitrary local PHP files, leading to information disclosure and potential remote code execution on the WordPress host.
Affected Products
- PluginEver Product Category Slider for WooCommerce (woo-category-slider-by-pluginever) versions through 4.3.4
- WordPress sites with WooCommerce running the affected plugin
- Shared hosting environments where the plugin is installed across multiple tenants
Discovery Timeline
- 2025-05-19 - CVE-2025-39364 published to the National Vulnerability Database
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-39364
Vulnerability Analysis
The Product Category Slider for WooCommerce plugin accepts user-controlled input that flows into a PHP include or require statement without sufficient sanitization. This pattern, classified as [CWE-98], allows attackers to alter which file the PHP interpreter loads at runtime. Although the advisory describes the issue as Local File Inclusion, the underlying weakness category also covers Remote File Inclusion behavior.
Exploitation requires network access to the WordPress site and low-privilege authentication. No user interaction is needed. A successful attacker gains read access to any PHP-readable file on the server and can execute included PHP code under the privileges of the web server process.
Root Cause
The plugin constructs a file path from request data and passes it to a PHP file inclusion function without enforcing an allowlist or canonicalizing the resolved path. Path traversal sequences and absolute paths are not stripped, so attackers can escape the intended include directory.
Attack Vector
An authenticated user submits a crafted request containing a manipulated file path parameter to the vulnerable plugin endpoint. The plugin includes the targeted file, executing any PHP it contains or returning its contents in the response. Common targets include wp-config.php, log files seeded with attacker-controlled PHP, and uploaded media files renamed to .php. See the Patchstack Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-39364
Indicators of Compromise
- HTTP requests to plugin endpoints under /wp-content/plugins/woo-category-slider-by-pluginever/ containing ../ sequences, absolute paths, or PHP wrappers such as php://filter
- Unexpected access to sensitive files including wp-config.php, /etc/passwd, or session files originating from the web server user
- New or modified PHP files in wp-content/uploads/ shortly after suspicious plugin requests
Detection Strategies
- Inspect WordPress and web server logs for parameters that contain encoded path traversal patterns (%2e%2e%2f, ....//) targeting the affected plugin
- Alert on PHP processes reading files outside the WordPress document root or the plugin's expected include directory
- Correlate authenticated subscriber or contributor sessions with file inclusion patterns that are atypical for those roles
Monitoring Recommendations
- Enable verbose access logging on WordPress admin and AJAX endpoints used by the plugin
- Monitor file integrity for the WordPress core, plugin directories, and the uploads folder
- Forward web server and PHP error logs to a centralized SIEM for retention and correlation across hosts
How to Mitigate CVE-2025-39364
Immediate Actions Required
- Identify all WordPress sites running woo-category-slider-by-pluginever version 4.3.4 or earlier and isolate them pending remediation
- Disable the Product Category Slider for WooCommerce plugin until a fixed release is installed
- Rotate WordPress secret keys, database credentials, and any API tokens stored in wp-config.php if exploitation is suspected
- Review user accounts for unauthorized subscriber or contributor registrations created before the patch
Patch Information
No fixed version is listed in the published advisory at the time of writing. Administrators should consult the Patchstack Vulnerability Report and the plugin author's release notes for the latest update covering versions after 4.3.4.
Workarounds
- Deactivate and remove the plugin until a patched release is verified
- Deploy a Web Application Firewall rule that blocks path traversal sequences and PHP stream wrappers in requests targeting the plugin path
- Restrict PHP open_basedir and disable_functions to limit which files the interpreter can include and execute
- Enforce least privilege on the web server user so it cannot read sensitive configuration outside the WordPress installation
# Example php.ini hardening to constrain file inclusion scope
open_basedir = "/var/www/html/:/tmp/"
allow_url_include = Off
allow_url_fopen = Off
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
