CVE-2025-26890 is a Local File Inclusion (LFI) vulnerability found in the RealMag777 HUSKY plugin for WooCommerce, specifically affecting versions up to 1.3.6.4. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input to these statements, causing the application to include unintended local files from the server's filesystem. Such an inclusion can lead to disclosure of sensitive information, such as configuration files, source code, or credentials, and may also facilitate further attacks like remote code execution if combined with other vulnerabilities. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers. Although the description mentions PHP Remote File Inclusion, the actual issue is Local File Inclusion, which is generally easier to exploit in a controlled environment. No official patches or fixes have been linked yet, and no known exploits are reported in the wild as of the publication date. The vulnerability was reserved in February 2025 and published in March 2025, indicating recent discovery. The plugin is used in WooCommerce environments, which are widely deployed in e-commerce websites, increasing the potential attack surface. The lack of a CVSS score necessitates an expert severity assessment based on impact and exploitability factors.

The impact of CVE-2025-26890 is significant for organizations running WooCommerce sites with the vulnerable HUSKY plugin. Exploitation can lead to unauthorized disclosure of sensitive server files, including credentials, configuration files, and source code, compromising confidentiality. Attackers could leverage this information to escalate privileges or execute arbitrary code, threatening system integrity and availability. Since the vulnerability requires no authentication, any remote attacker can attempt exploitation, increasing the risk of widespread attacks. E-commerce platforms are particularly sensitive due to the presence of customer data and payment information, raising compliance and reputational risks. The absence of known exploits currently provides a window for mitigation, but the potential for rapid weaponization exists. Organizations failing to address this vulnerability may face data breaches, service disruptions, and regulatory penalties.

To mitigate CVE-2025-26890, organizations should immediately audit their WooCommerce installations to identify the presence and version of the RealMag777 HUSKY plugin. If the plugin is in use and at or below version 1.3.6.4, they should disable or remove it until a patch is available. In the absence of an official patch, applying virtual patching via web application firewalls (WAFs) to block suspicious requests targeting include/require parameters can reduce risk. Developers should review and sanitize all user inputs used in file inclusion functions, employing whitelisting of allowed filenames and avoiding dynamic inclusion based on user input. Monitoring web server logs for unusual access patterns or attempts to access sensitive files can help detect exploitation attempts early. Additionally, restricting file permissions on the server to limit access to sensitive files reduces the impact of successful exploitation. Organizations should subscribe to vendor advisories and apply official patches promptly once released.