CVE-2025-60072 is a vulnerability classified as a Local File Inclusion (LFI) issue within the Processby Anchor smooth scroll PHP plugin, versions up to 1.0.2. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements, which allows an attacker to manipulate the file path and include arbitrary local files from the server. This can lead to disclosure of sensitive files such as configuration files, source code, or credentials, and in some cases, it may enable remote code execution if the attacker can include files containing malicious code or upload files to the server. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. Although no public exploits have been reported yet, the nature of LFI vulnerabilities makes them a significant risk, especially for web applications exposed to the internet. The plugin is commonly used to implement smooth scrolling functionality in PHP-based websites, and its improper input validation on file inclusion parameters is the root cause. No official patches or updates have been linked yet, and no CVSS score has been assigned, indicating the need for immediate attention from users of the affected versions.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive data, including user information, internal configuration files, and credentials, potentially resulting in data breaches and compliance violations under GDPR. If attackers achieve remote code execution, they could compromise entire web servers, leading to service disruption, data manipulation, or use of the compromised infrastructure for further attacks. Public-facing websites using the vulnerable plugin are particularly at risk, which could damage organizational reputation and trust. The impact is heightened for sectors with stringent data protection requirements such as finance, healthcare, and government institutions. Additionally, the ease of exploitation without authentication increases the likelihood of automated scanning and exploitation attempts, raising the urgency for mitigation in European environments.

Organizations should immediately audit their web applications to identify usage of the Processby Anchor smooth scroll plugin, specifically versions up to 1.0.2. Until an official patch is released, it is critical to implement strict input validation and sanitization on any parameters controlling file inclusion paths to prevent manipulation. Employing web application firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts can provide temporary protection. Restrict PHP include paths using configuration directives such as open_basedir to limit accessible directories. Regularly monitor logs for unusual file access patterns indicative of exploitation attempts. Where feasible, isolate vulnerable components in sandboxed environments to reduce potential damage. Finally, maintain an active vulnerability management process to apply patches promptly once available from the vendor.