CVE-2025-31405 is a Local File Inclusion (LFI) vulnerability found in the zankover Fami WooCommerce Compare plugin, versions up to 1.0.5. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input and cause the application to include unintended local files. This can lead to disclosure of sensitive files such as configuration files, password stores, or source code, which may further facilitate privilege escalation or remote code execution if combined with other vulnerabilities. The flaw is due to insufficient input validation or sanitization on user-supplied data that controls file inclusion paths. Although no remote file inclusion (RFI) is confirmed, the LFI itself can be leveraged to read arbitrary files on the server. The vulnerability was reserved and published in early 2025, with no known public exploits or patches available at the time of reporting. The affected product is a WooCommerce plugin widely used in WordPress e-commerce sites, making the attack surface significant in online retail environments. The absence of a CVSS score requires an expert severity assessment based on the technical details and potential impact.

The primary impact of CVE-2025-31405 is unauthorized disclosure of sensitive information through local file inclusion, which can compromise confidentiality. Attackers can access configuration files containing database credentials, API keys, or other secrets, potentially leading to further compromise of the web application or backend systems. In some cases, LFI vulnerabilities can be chained with other exploits to achieve remote code execution, threatening system integrity and availability. For organizations running WooCommerce stores with the affected plugin, this can result in data breaches, loss of customer trust, financial damage, and regulatory penalties. The vulnerability affects a widely used e-commerce plugin, increasing the risk of targeted attacks on online retailers globally. The ease of exploitation without authentication and lack of user interaction requirements amplify the threat. Although no exploits are currently known in the wild, the vulnerability presents a significant risk if weaponized by attackers.

Organizations should monitor the vendor's announcements and apply security patches promptly once available. Until a patch is released, administrators should consider disabling or removing the Fami WooCommerce Compare plugin if it is not essential. Implement strict input validation and sanitization on any parameters controlling file inclusion to prevent manipulation. Configure PHP settings to disable allow_url_include and restrict file inclusion to safe directories using open_basedir. Employ web application firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts. Conduct regular security audits and code reviews of custom plugins or themes to identify similar vulnerabilities. Maintain up-to-date backups and implement intrusion detection systems to quickly respond to potential exploitation attempts. Educate development teams on secure coding practices related to file handling in PHP applications.