What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion.This issue affects WooCommerce Store Toolkit: from n/a through <= 2.4.3.
Explanation of Vulnerability in Simple Terms
02Summary
WooCommerce Store Toolkit versions 2.4.3 and earlier contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service. The attack requires the victim to click a malicious link or visit a compromised page. The vulnerability stems from improper input handling in the plugin.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify site content, or disrupt the site's availability.
Potential impact on your site
04Site Impact
Your WooCommerce store's data, content, and availability could be compromised if users visit a malicious link.
Conditions required to exploit
05Prerequisites
Victim must click a malicious link or visit an attacker-controlled page.
Key dates
06Disclosure timeline
November 6, 2025
CVE published
April 28, 2026
Record updated