CVE-2025-39378 is a vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Holest Engineering product named Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light, up to version 2.4.37. The flaw allows for PHP Local File Inclusion (LFI), meaning an attacker can manipulate the filename parameter used in PHP include or require functions to load unintended files from the local server. This can lead to the execution of arbitrary PHP code if an attacker can control or influence the contents of the included file or access sensitive files on the server. The vulnerability arises because the application does not properly validate or sanitize the input controlling the filename, allowing an attacker to traverse directories or specify malicious files. Although the description mentions 'PHP Remote File Inclusion,' the actual impact is local file inclusion, which is generally less severe than remote file inclusion but still critical in many contexts. No public exploits have been reported in the wild as of the publication date (April 24, 2025), and no patches have been linked yet. The vulnerability affects a plugin used in WooCommerce and WP E-commerce platforms, which are popular e-commerce solutions built on WordPress. Given the widespread use of these platforms, the vulnerability could have a broad attack surface if exploited. The vulnerability requires the attacker to have the ability to send crafted requests to the vulnerable plugin, but it does not require authentication or user interaction, increasing the risk of exploitation. The improper input validation in the filename parameter can lead to unauthorized disclosure of sensitive files, potential code execution, and compromise of the web server hosting the e-commerce site.

For European organizations, this vulnerability poses a significant risk to e-commerce websites using WooCommerce or WP E-commerce with the affected Holest Engineering plugin. Exploitation could lead to unauthorized access to sensitive customer data, including payment information, personal details, and business-critical pricing data. The ability to include local files may allow attackers to execute arbitrary code, potentially leading to full server compromise, data breaches, and disruption of e-commerce operations. This can result in financial losses, reputational damage, and regulatory penalties under GDPR due to exposure of personal data. The impact is particularly critical for small and medium-sized enterprises (SMEs) that rely heavily on these plugins for pricing management and may lack advanced security controls. Additionally, compromised e-commerce platforms could be used as a pivot point for further attacks within corporate networks. Given the medium severity rating and the lack of public exploits, the threat is currently moderate but could escalate rapidly if exploit code becomes available. The vulnerability also increases the risk of supply chain attacks if attackers leverage compromised e-commerce sites to distribute malicious payloads to customers.

1. Immediate audit and inventory of all WooCommerce and WP E-commerce installations to identify use of the Holest Engineering Spreadsheet Price Changer plugin, specifically versions up to 2.4.37. 2. Disable or remove the vulnerable plugin until a security patch is released by the vendor. 3. Implement strict input validation and sanitization on all parameters that control file inclusion paths, ensuring only allowed filenames or directories can be referenced. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting directory traversal or file inclusion patterns targeting the plugin endpoints. 5. Restrict file system permissions on the web server to limit the PHP process's access to only necessary directories, preventing inclusion of sensitive files. 6. Monitor web server and application logs for anomalous requests indicative of attempted exploitation, such as unusual URL parameters or error messages related to file inclusion. 7. Educate development and operations teams about secure coding practices related to file inclusion and the risks of CWE-98 vulnerabilities. 8. Once a patch is available from Holest Engineering, prioritize testing and deployment in all affected environments. 9. Consider deploying runtime application self-protection (RASP) solutions that can detect and block file inclusion attacks in real time. 10. Regularly back up website data and configurations to enable rapid recovery in case of compromise.