CVE-2025-39391 is a vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the 'Checkout Field Visibility for WooCommerce' plugin developed by zamartz, up to version 1.2.3. The flaw allows for PHP Local File Inclusion (LFI), meaning an attacker can manipulate the filename parameter used in PHP's include or require functions to include arbitrary files from the local filesystem. This can lead to unauthorized disclosure of sensitive files, code execution, or further exploitation depending on the server configuration and file permissions. The vulnerability arises because the plugin does not properly validate or sanitize user-supplied input that determines which files are included during execution. Although the vulnerability is categorized as a remote file inclusion type, the technical details specify it as local file inclusion, indicating that remote file inclusion (RFI) is not directly possible, but local files can be included and executed. There are no known exploits in the wild at the time of publication (April 24, 2025), and no patches have been released yet. The vulnerability was reserved and enriched by CISA, indicating recognition by US cybersecurity authorities. The affected product is a WordPress plugin used to control visibility of checkout fields in WooCommerce, a popular e-commerce platform. The plugin’s improper handling of include statements can be leveraged by attackers to read sensitive files such as configuration files, password files, or even execute arbitrary PHP code if combined with other vulnerabilities or writable files on the server. This can compromise the confidentiality, integrity, and availability of the affected web server and potentially the entire e-commerce platform.

For European organizations using WooCommerce with the vulnerable 'Checkout Field Visibility for WooCommerce' plugin, this vulnerability poses a moderate risk. Attackers exploiting the LFI vulnerability could access sensitive files, including configuration files containing database credentials or API keys, leading to data breaches and unauthorized access. In worst-case scenarios, attackers might achieve remote code execution by including files that contain malicious code or leveraging other vulnerabilities, which could result in full server compromise. This can disrupt e-commerce operations, cause financial losses, damage brand reputation, and lead to regulatory non-compliance under GDPR due to data exposure. Since WooCommerce is widely used by small to medium-sized businesses across Europe for online retail, the vulnerability could impact a broad range of sectors including retail, manufacturing, and services. The medium severity rating reflects the fact that exploitation requires some level of interaction with the vulnerable plugin and that remote exploitation is limited to local file inclusion rather than remote file inclusion. However, the potential for chained attacks and the critical nature of e-commerce platforms elevate the risk profile. Additionally, the lack of an available patch increases exposure time. Organizations with poor server hardening or shared hosting environments are at higher risk, as attackers might exploit the vulnerability to pivot to other systems or escalate privileges.

1. Immediate mitigation should involve disabling or uninstalling the vulnerable 'Checkout Field Visibility for WooCommerce' plugin until a security patch is released by zamartz. 2. Implement strict input validation and sanitization on any user-controllable parameters related to file inclusion to prevent manipulation of include/require statements. 3. Restrict PHP include paths using open_basedir or disable allow_url_include in PHP configuration to limit file inclusion to safe directories. 4. Harden server file permissions to ensure that sensitive files are not readable or writable by the web server user, minimizing the impact of LFI. 5. Monitor web server logs for suspicious requests that attempt to manipulate file inclusion parameters or access sensitive files. 6. Employ Web Application Firewalls (WAFs) with rules targeting LFI attack patterns to block exploitation attempts. 7. Conduct regular security audits and vulnerability scans on WordPress plugins and themes to detect outdated or vulnerable components. 8. Prepare incident response plans specific to web application compromises, including backups and recovery procedures. 9. Once a patch is available, prioritize timely updates of the plugin to remediate the vulnerability. 10. Educate development and IT teams on secure coding practices related to file inclusion and input validation to prevent similar issues in custom code.