{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13088", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T19:49:07.750Z", "datePublished": "2025-11-18T08:27:36.700Z", "dateUpdated": "2026-04-08T17:20:25.696Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:25.696Z"}, "affected": [{"vendor": "ikhodal", "product": "Category and Product Woocommerce Tabs", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible for authenticated attackers, with contributor level access and above, to include and execute arbitrary .php files on the server."}], "title": "Category and Product Woocommerce Tabs <= 1.0 - Authenticated (Contributor+) Local File Inclusion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3938bbb-dc3d-4550-a05d-0cde970e38f8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/category-and-product-woocommerce-tabs/tags/1.0/include/wccategorytab.php#L108"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "cweId": "CWE-98", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-11-04T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-17T20:16:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-18T21:05:23.851238Z", "id": "CVE-2025-13088", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:05:36.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13088", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-18T21:05:23.851238Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-18T21:05:32.203Z"}}], "cna": {"title": "Category and Product Woocommerce Tabs <= 1.0 - Authenticated (Contributor+) Local File Inclusion", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "ikhodal", "product": "Category and Product Woocommerce Tabs", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-04T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-17T20:16:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3938bbb-dc3d-4550-a05d-0cde970e38f8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/category-and-product-woocommerce-tabs/tags/1.0/include/wccategorytab.php#L108"}], "descriptions": [{"lang": "en", "value": "The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible for authenticated attackers, with contributor level access and above, to include and execute arbitrary .php files on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-18T08:27:36.700Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13088", "state": "PUBLISHED", "dateUpdated": "2025-11-18T21:05:36.780Z", "dateReserved": "2025-11-12T19:49:07.750Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-18T08:27:36.700Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible for authenticated attackers, with contributor level access and above, to include and execute arbitrary .php files on the server."}], "id": "CVE-2025-13088", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-18T09:15:50.030", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/category-and-product-woocommerce-tabs/tags/1.0/include/wccategorytab.php#L108"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3938bbb-dc3d-4550-a05d-0cde970e38f8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:33:27.027953+00:00", "value": {"mitigation_remediation": ["Upgrade the Category and Product Woocommerce Tabs plugin to any version newer than 1.0 if available.", "If no newer version exists, uninstall or deactivate the plugin to eliminate the attack surface.", "Reduce or remove Contributor and higher roles from the site to prevent authenticated exploitation of the flaw."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion leading to execution of arbitrary PHP code by authenticated users with contributor-level access"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that has the Category and Product Woocommerce Tabs plugin version 1.0 or earlier installed is affected. The vulnerability applies to all sites where a user can authenticate with Contributor or higher roles. No specific WordPress core or other plugin versions are implicated beyond the presence of this plugin.", "description_and_impact": "The vulnerability is a Local File Inclusion flaw in the Category and Product Woocommerce Tabs plugin for WordPress caused by insufficient validation of the 'template' parameter within the categoryProductTab() function. An attacker who has authenticated Contributor or higher privileges can supply a crafted value for this parameter, causing the server to include and execute arbitrary PHP files. This results in potential remote code execution, data exfiltration, or modification of site content. The weakness is classified as CWE-98.", "risk_and_exploitability": "The CVSS score of 8.8 marks the flaw as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the near term, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. Attackers would first need to authenticate to the site, then send a request containing a malicious 'template' value to the vulnerable endpoint. Because the vulnerability is localized to authenticated users, overall risk is moderate to high for sites that retain Contributor or higher roles for potentially untrusted staff."}}}}, "created": "2025-11-19T10:48:02.105086+00:00", "updated": "2026-04-21T01:45:24.437515+00:00", "vendors": ["ikhodal", "ikhodal$PRODUCT$category_and_product_woocommerce_tabs", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}