CVE-2025-10406

The BlindMatrix e-Commerce WordPress plugin versions before 3.1 fail to validate shortcode attributes before using them to construct file paths passed to PHP include functions. This lack of sanitization allows an attacker to control the path argument, leading to local file inclusion (LFI) [1].

Any authenticated user with at least contributor-level privileges can exploit this vulnerability by crafting a malicious shortcode attribute. No additional authentication or special permissions beyond contributor access are required, making the attack surface relatively broad for sites with multiple authors [1].

Successful exploitation enables an attacker to include arbitrary local files from the server, potentially exposing sensitive information such as configuration files, database credentials, or source code. The impact is limited to file disclosure; remote code execution is not directly achieved unless combined with other vulnerabilities [1].

The vulnerability is fixed in version 3.1 of the plugin. Users are advised to update immediately. No workarounds are documented, and the issue is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].