PHP Remote File Inclusion Vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce
CVE-2025-39378

7.5HIGH

Key Information:

Vendor: WordPress
Status: Spreadsheet Price Changer For WooCommerce And WP E-commerce – Light
Vendor: CVE Published:; 24 April 2025

What is CVE-2025-39378?

A vulnerability in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows for local file inclusion due to improper control of filenames in PHP scripts. This flaw could lead to unauthorized access to sensitive files on the server, posing a risk to the security of data managed by these plugins. The affected versions range from unspecified to 2.4.37, necessitating that users promptly update to mitigate potential exploitation.

Affected Version(s)

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37

References

https://patchstack.com/database/wordpress/plugin/excel-li...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Dimas Maulana (Patchstack Alliance)

WordPress

What is CVE-2025-39378?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit