Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-8393

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-16 Aug, 2025 | 03:38
Updated At-08 Apr, 2026 | 17:24
Rejected At-
Credits

Woocommerce Blocks – Woolook <= 1.7.0 - Authenticated (Admin+) Local File Inclusion

The Woocommerce Blocks – Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Please note that this can also be exploited via CSRF techniques.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:16 Aug, 2025 | 03:38
Updated At:08 Apr, 2026 | 17:24
Rejected At:
▼CVE Numbering Authority (CNA)
Woocommerce Blocks – Woolook <= 1.7.0 - Authenticated (Admin+) Local File Inclusion

The Woocommerce Blocks – Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Please note that this can also be exploited via CSRF techniques.

Affected Products
Vendor
delabon
Product
Woocommerce Blocks – Woolook
Default Status
unaffected
Versions
Affected
  • From 0 through 1.7.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-98CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Type: CWE
CWE ID: CWE-98
Description: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Metrics
VersionBase scoreBase severityVector
3.16.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 6.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
paulmockford
Timeline
EventDate
Disclosed2025-08-15 00:00:00
Event: Disclosed
Date: 2025-08-15 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/cf3916fc-f652-4615-872c-3f007b8999df?source=cve
N/A
https://plugins.trac.wordpress.org/browser/woolook/trunk/includes/views/panel.php
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/cf3916fc-f652-4615-872c-3f007b8999df?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/woolook/trunk/includes/views/panel.php
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:16 Aug, 2025 | 04:15
Updated At:18 Aug, 2025 | 20:16

The Woocommerce Blocks – Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Please note that this can also be exploited via CSRF techniques.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.6MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 6.6
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-98Primarysecurity@wordfence.com
CWE ID: CWE-98
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/woolook/trunk/includes/views/panel.phpsecurity@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/cf3916fc-f652-4615-872c-3f007b8999df?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/woolook/trunk/includes/views/panel.php
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/cf3916fc-f652-4615-872c-3f007b8999df?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

5Records found
CVE-2024-8392
Matching Score-6
Assigner-Wordfence
ShareView Details
Matching Score-6
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.32% / 54.87%
||
7 Day CHG~0.00%
Published-26 Oct, 2024 | 08:36
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Post Grid Layouts with Pagination – Sogrid <= 1.5.6 - Authenticated (Admin+) Local File Inclusion

The WordPress Post Grid Layouts with Pagination – Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.6 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This can also be exploited via CSRF techniques.

Action-Not Available
Vendor-delabon
Product-WordPress Post Grid Layouts with Pagination – Sogrid
CWE ID-CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVE-2025-68974
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.6||MEDIUM
EPSS-0.20% / 42.27%
||
7 Day CHG~0.00%
Published-30 Dec, 2025 | 10:47
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WordPress Social Login and Register plugin <= 7.7.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0.

Action-Not Available
Vendor-miniOrange
Product-WordPress Social Login and Register
CWE ID-CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVE-2025-66115
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.6||MEDIUM
EPSS-0.10% / 27.31%
||
7 Day CHG~0.00%
Published-21 Nov, 2025 | 12:30
Updated-28 Apr, 2026 | 16:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Easy Invoice plugin <= 2.1.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.This issue affects Easy Invoice: from n/a through <= 2.1.4.

Action-Not Available
Vendor-MatrixAddons
Product-Easy Invoice
CWE ID-CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVE-2025-54015
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-6.6||MEDIUM
EPSS-0.50% / 66.25%
||
7 Day CHG~0.00%
Published-16 Jul, 2025 | 10:36
Updated-28 Apr, 2026 | 16:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress HT Contact Form 7 plugin <= 2.0.0 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows PHP Local File Inclusion.This issue affects HT Contact Form 7: from n/a through <= 2.0.0.

Action-Not Available
Vendor-HasTech IT Limited (HasThemes)
Product-HT Contact Form 7
CWE ID-CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVE-2023-6583
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.6||MEDIUM
EPSS-2.33% / 85.04%
||
7 Day CHG~0.00%
Published-11 Jan, 2024 | 08:32
Updated-08 Apr, 2026 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Import and export users and customers <= 1.24.2 - Authenticated(Administrator+) Directory Traversal via Recurring Import Functionality

The Import and export users and customers plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.24.2 via the Recurring Import functionality. This makes it possible for authenticated attackers, with administrator access and above, to read and delete the contents of arbitrary files on the server including wp-config.php, which can contain sensitive information.

Action-Not Available
Vendor-codectioncarazo
Product-import_and_export_users_and_customersImport and export users and customers
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE ID-CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Details not found