CVE-2025-13088 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Category and Product Woocommerce Tabs plugin for WordPress developed by ikhodal. The vulnerability exists in all versions up to and including 1.0 due to improper control of the filename used in an include/require statement within the categoryProductTab() function. Specifically, the 'template' parameter is not sufficiently validated, allowing authenticated users with contributor-level privileges or higher to manipulate this parameter to include arbitrary PHP files from the server. This can lead to remote code execution (RCE) as the attacker can execute malicious PHP code on the web server. The attack vector is network-based, requiring low attack complexity and no user interaction, but does require some level of authentication (contributor or above). The vulnerability impacts confidentiality, integrity, and availability, as attackers can read sensitive files, modify server behavior, and disrupt services. Although no public exploits are currently known, the high CVSS score (8.8) reflects the critical nature of this flaw. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation. This vulnerability is particularly dangerous in WordPress environments where the plugin is installed and contributor-level users exist, as it expands the attack surface beyond typical remote attacks by leveraging legitimate user privileges.

The exploitation of CVE-2025-13088 can have severe consequences for organizations running WordPress sites with the vulnerable plugin. Attackers with contributor-level access can execute arbitrary PHP code, potentially leading to full server compromise. This includes unauthorized data access, data modification, defacement, installation of backdoors or malware, and disruption of website availability. The breach of confidentiality can expose sensitive customer or business data, while integrity and availability impacts can undermine trust and operational continuity. Since contributor-level access is often granted to multiple users such as content creators or editors, the risk of insider threats or compromised accounts being leveraged is significant. The vulnerability also increases the attack surface for privilege escalation and lateral movement within the hosting environment. Organizations relying on this plugin for e-commerce functionality may face financial losses, reputational damage, and regulatory penalties if exploited.

Immediate mitigation steps include restricting contributor-level user permissions to only trusted personnel and auditing existing user roles to minimize risk exposure. Administrators should monitor and log usage of the 'template' parameter and related plugin functions for suspicious activity. Employing Web Application Firewalls (WAFs) with custom rules to detect and block attempts to manipulate the 'template' parameter can help reduce exploitation risk. Until an official patch is released, consider disabling or removing the vulnerable plugin if feasible. If removal is not possible, implement strict input validation and sanitization at the web server or application level to prevent malicious file inclusion. Regularly update WordPress core and plugins to the latest versions and subscribe to vendor security advisories for timely patch releases. Conduct thorough security audits and penetration testing focusing on user privilege abuse and file inclusion vulnerabilities. Finally, maintain robust backup and incident response plans to quickly recover from potential compromises.