CVE-2025-13088 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Category and Product Woocommerce Tabs plugin for WordPress developed by ikhodal. The vulnerability stems from improper control of the filename used in an include or require statement within the plugin's categoryProductTab() function. Specifically, the 'template' parameter is not properly validated, allowing an attacker with authenticated access at the contributor level or above to manipulate this parameter to include arbitrary PHP files from the server. This can lead to remote code execution, as the included files are executed in the context of the web server. The vulnerability affects all versions up to and including 1.0 of the plugin. The CVSS v3.1 base score is 8.8, indicating high severity, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and full impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation by authenticated users make it a critical concern for WordPress sites using this plugin. The flaw allows attackers to escalate privileges and potentially take over the entire web server, compromising sensitive data and service availability.

For European organizations, this vulnerability poses a significant risk, especially for those operating e-commerce websites using WordPress with the affected plugin. An attacker with contributor-level access—which is commonly granted to content creators or editors—can execute arbitrary PHP code, potentially leading to full server compromise. This could result in data breaches involving customer information, financial data, and intellectual property. Additionally, attackers could deface websites, disrupt services, or use compromised servers as a foothold for further attacks within the organization's network. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and financial losses. Given the widespread use of WooCommerce in Europe, the vulnerability could affect a broad range of small to medium-sized enterprises that rely on this plugin for product display and management.

1. Immediately restrict contributor-level user permissions to the minimum necessary, avoiding granting contributor access to untrusted users. 2. Monitor web server logs and WordPress activity logs for suspicious usage of the 'template' parameter or unexpected file inclusions. 3. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'template' parameter for file inclusion. 4. Disable or remove the Category and Product Woocommerce Tabs plugin if it is not essential to business operations until a patch is released. 5. Once available, promptly apply official security patches or updates from the plugin vendor. 6. Conduct regular security audits of WordPress plugins and user roles to ensure no unnecessary privileges are granted. 7. Employ file integrity monitoring to detect unauthorized changes to PHP files on the server. 8. Consider isolating WordPress instances in containerized or sandboxed environments to limit the blast radius of potential exploitation.