CVE-2025-60150 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the 'Subscribe to Download' plugin developed by wpshuffle, up to version 2.0.9. The vulnerability enables a PHP Local File Inclusion (LFI) attack vector, where an attacker can manipulate the filename parameter used in PHP include or require functions to load unintended files from the local filesystem. This can lead to arbitrary code execution, disclosure of sensitive information, or complete compromise of the affected web server. The CVSS 3.1 base score is 7.5, indicating a high severity level. The vector string (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) shows that the attack is network exploitable (AV:N), requires low privileges (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability to a high degree. However, the attack complexity is high (AC:H), meaning exploitation requires specific conditions or knowledge. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability arises because the plugin does not properly sanitize or restrict the filename input used in PHP include/require statements, allowing attackers to traverse directories or specify arbitrary local files. This can lead to disclosure of configuration files, source code, or injection of malicious code if combined with other vulnerabilities or misconfigurations. Since the vulnerability is local file inclusion rather than remote file inclusion, the attacker is limited to files accessible on the server's filesystem, but this still poses a significant risk, especially if sensitive files or writable directories are accessible. The plugin is typically used in WordPress environments to manage subscription-based downloads, so affected systems are primarily WordPress websites using this plugin version or earlier.

For European organizations, the impact of CVE-2025-60150 can be significant, particularly for those relying on WordPress websites with the 'Subscribe to Download' plugin installed. Successful exploitation can lead to unauthorized disclosure of sensitive data such as configuration files, user credentials, or proprietary content. It can also enable attackers to execute arbitrary code, potentially leading to full server compromise, defacement, or pivoting to internal networks. This is especially critical for organizations handling personal data under GDPR, as breaches could result in regulatory penalties and reputational damage. E-commerce, media, and subscription-based service providers are particularly at risk due to the nature of the plugin’s functionality. Moreover, the high impact on confidentiality, integrity, and availability means that business operations could be disrupted, customer trust eroded, and financial losses incurred. Given the network exploitability and lack of required user interaction, attackers can remotely target vulnerable sites, increasing the threat landscape. Although exploitation complexity is high, skilled attackers or automated tools could still leverage this vulnerability once more details or exploits become available. The absence of patches at the time of publication further elevates risk until mitigations or updates are applied.

To mitigate CVE-2025-60150 effectively, European organizations should take the following specific actions: 1) Immediately audit all WordPress installations to identify the presence of the 'Subscribe to Download' plugin, especially versions up to 2.0.9. 2) Disable or remove the plugin temporarily if it cannot be updated or patched promptly. 3) Monitor web server logs for suspicious requests attempting to manipulate include parameters or unusual file access patterns indicative of LFI attempts. 4) Implement Web Application Firewall (WAF) rules tailored to detect and block attempts to exploit file inclusion vulnerabilities, such as blocking requests with directory traversal sequences or suspicious parameter values. 5) Harden PHP configurations by disabling dangerous functions (e.g., allow_url_include=Off, open_basedir restrictions) to limit file inclusion scope. 6) Restrict file permissions on the web server to prevent unauthorized reading of sensitive files and ensure that the web server user has minimal privileges. 7) Stay updated with vendor advisories and apply patches or updates as soon as they become available. 8) Conduct penetration testing focused on file inclusion vulnerabilities to verify the effectiveness of mitigations. 9) Educate developers and administrators on secure coding practices to prevent improper input validation in include/require statements. These measures go beyond generic advice by focusing on immediate plugin management, proactive detection, and environment hardening tailored to this vulnerability’s nature.