CVE-2025-32585 identifies a path traversal vulnerability in the Trusty Plugins Shop Products Filter WordPress plugin, specifically versions up to 1.2. The vulnerability arises from improper input validation of file path parameters, allowing attackers to inject the sequence '.../...//' to traverse directories beyond the intended scope. This traversal enables PHP Local File Inclusion (LFI), where an attacker can include and potentially execute arbitrary files on the server. LFI vulnerabilities are critical because they can lead to disclosure of sensitive configuration files, source code, or even remote code execution if combined with other vulnerabilities or malicious file uploads. The plugin is commonly used in WooCommerce environments to filter products, making it a target for attackers aiming to compromise e-commerce websites. The vulnerability does not require user authentication, increasing its risk profile. Although no public exploits have been reported yet, the ease of exploitation and the potential impact make it a significant threat. The lack of a CVSS score indicates the need for a severity assessment based on technical characteristics. The vulnerability was published shortly after its reservation date, indicating recent discovery. No official patches or mitigations are currently linked, emphasizing the need for immediate attention by site administrators.

The primary impact of this vulnerability is unauthorized access to local files on the web server, which can lead to exposure of sensitive information such as database credentials, configuration files, or user data. This compromises confidentiality and may also affect integrity if an attacker can execute arbitrary PHP code through the inclusion of malicious files. For e-commerce sites using the affected plugin, this could result in data breaches, loss of customer trust, financial damage, and regulatory penalties. The availability impact is lower but possible if the attacker uses the vulnerability to disrupt service or crash the application. Because the vulnerability does not require authentication, any remote attacker can exploit it, increasing the attack surface. Organizations with high traffic WooCommerce sites are particularly vulnerable, and the exploitation could be automated once public exploits emerge, leading to widespread compromise.

Until an official patch is released, organizations should consider the following mitigations: 1) Disable or uninstall the Trusty Plugins Shop Products Filter plugin if it is not essential to operations. 2) Implement web application firewall (WAF) rules to detect and block requests containing suspicious path traversal sequences such as '.../...//'. 3) Apply manual input validation and sanitization on all parameters that interact with file paths, ensuring traversal sequences are rejected. 4) Restrict PHP file inclusion functions and limit file system permissions to prevent unauthorized file access. 5) Monitor server logs for unusual access patterns or attempts to exploit path traversal. 6) Stay updated with vendor announcements and apply patches immediately once available. 7) Conduct security audits on WordPress plugins and consider alternative plugins with better security track records.