CVE-2025-48124 is a high-severity path traversal vulnerability (CWE-22) affecting the Holest Engineering Spreadsheet Price Changer plugin for WooCommerce and WP E-commerce – Light, versions up to 2.4.37. This vulnerability arises from improper limitation of pathname inputs, allowing an attacker to craft requests that traverse directories outside the intended restricted directory. Exploiting this flaw, an unauthenticated remote attacker can access arbitrary files on the web server hosting the vulnerable plugin. The CVSS 3.1 base score of 7.5 reflects that the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), with a high impact on confidentiality (C:H) but no impact on integrity or availability. This means sensitive files such as configuration files, credentials, or other sensitive data stored on the server could be disclosed without authentication. Since the vulnerability affects a plugin used in WooCommerce and WP E-commerce – Light, which are popular e-commerce platforms on WordPress, the attack surface includes numerous online stores that rely on this plugin for bulk price management. The lack of a patch link indicates that no official fix has been released yet, increasing the urgency for mitigation. No known exploits are reported in the wild at this time, but the ease of exploitation and high confidentiality impact make this a significant threat to affected sites.

For European organizations running WooCommerce or WP E-commerce stores using the vulnerable Spreadsheet Price Changer plugin, this vulnerability poses a serious risk of unauthorized disclosure of sensitive business and customer data. Confidential information such as pricing strategies, customer details, API keys, or payment configuration files could be exposed, leading to potential financial loss, reputational damage, and regulatory non-compliance (e.g., GDPR violations). Retailers and e-commerce service providers are particularly at risk, as attackers could leverage disclosed data for fraud or competitive advantage. The vulnerability's network accessibility and lack of authentication requirements mean attackers can exploit it remotely without user interaction, increasing the likelihood of automated scanning and exploitation attempts. Additionally, compromised data confidentiality could facilitate further attacks such as phishing or supply chain compromises. Given the widespread use of WooCommerce in Europe, the impact could be broad, affecting small to large enterprises engaged in online commerce.

Immediate mitigation steps include disabling or removing the vulnerable Spreadsheet Price Changer plugin until a vendor patch is available. If removal is not feasible, restrict access to the plugin’s directories and files via web server configuration (e.g., .htaccess rules or Nginx directives) to prevent unauthorized HTTP requests that could trigger path traversal. Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns such as '../' sequences in URLs or parameters associated with the plugin. Regularly monitor web server logs for suspicious access attempts targeting the plugin paths. Additionally, ensure that file system permissions are properly configured to limit the web server’s read access only to necessary directories, minimizing the impact of any traversal attempts. Organizations should subscribe to vendor advisories and Patchstack updates to apply official patches promptly once released. Finally, conduct security awareness training for administrators to recognize and respond to signs of exploitation.