CVE-2025-60087 is a vulnerability classified as improper control of filename for include/require statements within the PHP code of the Extensive VC Addons for WPBakery page builder plugin. This vulnerability allows an attacker to perform remote file inclusion (RFI) or local file inclusion (LFI) attacks by manipulating the filename parameter used in PHP include or require functions. The plugin fails to properly validate or sanitize user-supplied input that determines which files are included, enabling an attacker to specify arbitrary files. This can lead to execution of malicious PHP code hosted remotely or on the local server, resulting in remote code execution (RCE). The vulnerability affects all versions up to and including 1.9.1 of the plugin. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, no user interaction, but high attack complexity. Although no known exploits are currently in the wild, the nature of the vulnerability makes it a critical concern for websites using this plugin, especially given the widespread use of WPBakery page builder in WordPress environments. The vulnerability was reserved in late 2025 and published in early 2026, with no official patch links available at the time of this report.

The impact of CVE-2025-60087 is significant for organizations using the Extensive VC Addons for WPBakery page builder plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the affected web server. This can result in full system compromise, including data theft, website defacement, deployment of malware or ransomware, and pivoting to internal networks. Confidentiality is at risk due to potential unauthorized access to sensitive data. Integrity can be compromised by unauthorized modification of website content or backend data. Availability may be affected if attackers disrupt services or deploy destructive payloads. Given the plugin’s integration with WordPress, a widely used CMS, the scale of affected systems can be large, impacting small businesses, enterprises, and hosting providers. The absence of required authentication lowers the barrier for attackers, although the high attack complexity may limit automated exploitation. Nonetheless, the threat is serious and could be leveraged in targeted attacks or widespread campaigns once exploit code becomes available.

To mitigate CVE-2025-60087, organizations should immediately update the Extensive VC Addons for WPBakery page builder plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should consider disabling or removing the plugin if it is not essential. Web application firewalls (WAFs) can be configured to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities, such as those containing directory traversal sequences or remote URLs in parameters. Implement strict input validation and sanitization on all user-supplied data, especially parameters controlling file paths. Restrict PHP configuration settings to disable allow_url_include and limit file inclusion to trusted directories. Monitor web server logs for unusual access patterns indicative of exploitation attempts. Employ least privilege principles for web server processes to minimize impact if exploitation occurs. Regularly back up website data and configurations to enable recovery from potential compromises. Finally, maintain awareness of vendor advisories and threat intelligence updates related to this vulnerability.