A critical path traversal vulnerability (CVE-2025-47649) has been identified in the Ilmosys Open Close WooCommerce Store plugin, affecting versions up to 4.9.5. This flaw allows attackers to perform local file inclusion (LFI) attacks, potentially exposing sensitive system files and database credentials. With a CVSS score of 8.8 (HIGH), this vulnerability requires immediate attention from organizations using this WordPress plugin.
Executive Summary for Security Leadership
The vulnerability stems from insufficient input sanitization in the plugin’s file parameter handling. Attackers can manipulate paths to access files outside the intended directory, including critical system files like wp-config.php. No official patch is available as of May 2025, requiring compensatory controls.
Key points:
– Vulnerability Type: Path Traversal → Local File Inclusion
– Affected Versions: All versions ≤ 4.9.5
– Exploit Complexity: Low (No authentication required)
– Primary Risk: Database credential theft via wp-config.php access
– Temporary Fix: Plugin removal recommended until patch availability
Technical Analysis
The vulnerability occurs in the download.php component of the Open Close WooCommerce Store plugin. The system fails to properly validate user-supplied input in the ‘file’ parameter, allowing directory traversal sequences. Patchstack researchers have confirmed the exploitability with this HTTP request pattern1:
GET /wp-content/plugins/woc-open-close/includes/download.php?file=../../../wp-config.php HTTP/1.1
Host: vulnerable.siteSuccessful exploitation could lead to:
– Exposure of WordPress database credentials
– Access to server configuration files
– Potential session hijacking through session file access
– Remote code execution if allow_url_include is enabled (rare configuration)
Mitigation Strategies
Since no vendor patch exists, organizations should implement these protective measures immediately:
1. Plugin Removal: Disable and remove the Open Close WooCommerce Store plugin until an update is available.
2. Web Application Firewall Rules:
RewriteEngine On
RewriteCond %{QUERY_STRING} \.\.\/ [NC]
RewriteRule ^ - [F]3. File System Monitoring: Implement real-time monitoring for access attempts to sensitive files like wp-config.php.
4. Network Segmentation: Restrict web server access to necessary directories only.
Related Vulnerabilities
Recent WooCommerce ecosystem vulnerabilities show similar patterns:
| CVE | Plugin | Issue | CVSS |
|---|---|---|---|
| CVE-2025-1661 | HUSKY Products Filter | Unauthenticated LFI | 9.8 |
| CVE-2025-32631 | Oxygen MyData | Path Traversal | 8.5 |
Security Recommendations
For organizations using WooCommerce plugins, these best practices can reduce risk:
– Implement strict file permission structures (755 for directories, 644 for files)
– Regularly audit installed plugins for known vulnerabilities
– Consider virtual patching solutions for unpatched vulnerabilities
– Monitor web server logs for suspicious file access patterns
The CVE-2025-47649 vulnerability demonstrates the ongoing risks in WordPress plugin ecosystems. While awaiting an official patch, security teams should prioritize detection and prevention measures. This case highlights the importance of rigorous input validation in file handling operations and the need for comprehensive plugin management strategies.
References
- Patchstack, “WordPress Open Close WooCommerce Store 4.9.5 – Local File Inclusion Vulnerability,” 2025. [Online]. Available: https://patchstack.com/database/wordpress/plugin/woc-open-close/vulnerability/wordpress-open-close-woocommerce-store-4-9-5-local-file-inclusion-vulnerability?_s_id=cve
- NVD, “CVE-2025-47649 Detail,” 2025. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2025-47649
- GitHub Advisory Database, “GHSA-jrcj-jfvh-q4q9,” 2025. [Online]. Available: https://github.com/advisories/GHSA-jrcj-jfvh-q4q9
