CVE-2025-48124 Overview
CVE-2025-48124 is a path traversal vulnerability affecting the Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light WordPress plugin. The flaw exists in all versions through 2.4.37 and allows unauthenticated remote attackers to read arbitrary files from the underlying web server. The issue is classified under CWE-22, Improper Limitation of a Pathname to a Restricted Directory. Patchstack catalogs this issue as an arbitrary file download vulnerability in the excel-like-price-change-for-woocommerce-and-wp-e-commerce-light plugin.
Critical Impact
Unauthenticated attackers can download arbitrary files from vulnerable WordPress installations, exposing configuration files, credentials, and sensitive site data.
Affected Products
- Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin (excel-like-price-change-for-woocommerce-and-wp-e-commerce-light)
- All plugin versions from initial release through 2.4.37
- WordPress sites running WooCommerce or WP E-commerce with this plugin enabled
Discovery Timeline
- 2025-06-09 - CVE-2025-48124 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-48124
Vulnerability Analysis
The vulnerability stems from improper validation of user-supplied file path parameters within the plugin. An attacker can supply traversal sequences such as ../ to escape the intended working directory and reference files outside the plugin scope. Because the endpoint does not require authentication, exploitation is possible over the network without user interaction.
The primary impact is confidentiality. Successful exploitation enables an attacker to retrieve wp-config.php, server logs, .htaccess files, or other readable files on the filesystem. Recovered database credentials and authentication keys can lead to full site compromise through follow-on attacks, even though the vulnerability itself does not modify data or affect availability. The EPSS score is 0.498% as of the most recent scoring.
Root Cause
The plugin accepts a filename or path parameter from HTTP requests and passes it to a file read or download routine without canonicalizing the path or restricting it to an allowlisted directory. Missing input validation for directory separators and parent directory references (..) permits arbitrary file disclosure.
Attack Vector
The attack is performed remotely over HTTP or HTTPS against a vulnerable WordPress site. The attacker issues a crafted request to the plugin's file download handler containing a path traversal payload. No credentials, privileges, or user interaction are required. The plugin returns the contents of the targeted file in the response.
The vulnerability is described in prose only. See the Patchstack WordPress Vulnerability Advisory for additional technical context.
Detection Methods for CVE-2025-48124
Indicators of Compromise
- HTTP requests to plugin endpoints under /wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/ containing ../ or URL-encoded equivalents such as %2e%2e%2f.
- Unexpected outbound responses containing contents of wp-config.php, .htaccess, or other server configuration files.
- Access log entries from unauthenticated sessions targeting file or download parameters in plugin admin-ajax or REST endpoints.
Detection Strategies
- Inspect web server and WordPress access logs for path traversal patterns in query strings or POST bodies referencing the plugin slug.
- Deploy web application firewall rules that block requests containing directory traversal sequences against plugin URIs.
- Correlate file-read syscalls on the web server against the PHP-FPM or Apache worker process when responses originate from this plugin.
Monitoring Recommendations
- Monitor for sudden read access to wp-config.php or files outside the WordPress document root by the web server user.
- Alert on HTTP 200 responses where the body contains strings such as DB_PASSWORD, AUTH_KEY, or define('SECURE_AUTH_KEY'.
- Track baseline request patterns to plugin endpoints and flag deviations involving filename parameters.
How to Mitigate CVE-2025-48124
Immediate Actions Required
- Disable or uninstall the Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin until a patched version is confirmed installed.
- Rotate WordPress secret keys, database credentials, and any API tokens that may have been exposed through wp-config.php.
- Audit web server and application logs for prior exploitation attempts targeting the plugin slug.
Patch Information
At the time of NVD publication, the vulnerability affects all versions of the plugin up to and including 2.4.37. Site administrators should consult the Patchstack WordPress Vulnerability Advisory for the current fixed version and apply the update through the WordPress plugin management interface.
Workarounds
- Block requests containing ../, ..\, or URL-encoded traversal sequences at the WAF or reverse proxy layer for plugin URIs.
- Restrict filesystem permissions so the web server user cannot read sensitive files outside the WordPress document root.
- Remove the plugin directory from the filesystem if the plugin is not required for site operations.
# Example nginx rule to block traversal against the plugin path
location ~* /wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/ {
if ($args ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e/)") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
