CVE-2025-32587 identifies a path traversal vulnerability in the WooCommerce Pickupp plugin, a WordPress extension used for integrating Pickupp shipping services into WooCommerce stores. The vulnerability stems from improper validation and limitation of file pathnames, allowing an attacker to manipulate input parameters to traverse directories outside the intended restricted scope. This can lead to Local File Inclusion (LFI) in PHP, where an attacker can include and execute arbitrary files on the server. The affected versions include all releases up to and including 2.4.3. Since WooCommerce is a widely used e-commerce platform and Pickupp is a shipping integration plugin, many online stores could be exposed. The vulnerability does not require authentication or user interaction, making remote exploitation feasible. Attackers could leverage this flaw to read sensitive configuration files, access credentials, or execute malicious PHP code, potentially leading to full server compromise. No official patches or exploit code are currently published, but the vulnerability is publicly disclosed, increasing the risk of future exploitation. The absence of a CVSS score necessitates an expert severity assessment based on the technical details and potential impact.

The impact of CVE-2025-32587 is significant for organizations running WooCommerce stores with the Pickupp plugin installed. Successful exploitation can lead to unauthorized disclosure of sensitive data such as database credentials, configuration files, and customer information. Furthermore, the ability to include and execute arbitrary PHP files can result in full server compromise, enabling attackers to deploy malware, deface websites, or pivot to internal networks. This threatens the confidentiality, integrity, and availability of affected systems. E-commerce businesses could suffer financial losses, reputational damage, and regulatory penalties due to data breaches. The ease of exploitation without authentication or user interaction broadens the attack surface and increases the likelihood of automated attacks. Organizations relying on this plugin for shipping logistics are particularly vulnerable, as attackers might also disrupt order fulfillment processes.

To mitigate CVE-2025-32587, organizations should immediately update the WooCommerce Pickupp plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should implement strict input validation and sanitization on all parameters that handle file paths within the plugin. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the plugin endpoints. Restrict file system permissions to limit the web server's access to only necessary directories, preventing unauthorized file reads or writes. Monitor logs for suspicious requests that include directory traversal patterns or attempts to access sensitive files. Disable or restrict PHP functions that facilitate file inclusion if not required. Additionally, conduct regular security audits and vulnerability scans on WordPress installations and plugins. Engage with the plugin vendor or community to track patch releases and advisories.