CVE-2025-60189 is a Remote File Inclusion (RFI) vulnerability found in the PoloPag – Pix Automático para Woocommerce plugin, a payment integration tool for WooCommerce that facilitates Pix payments. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to supply a malicious remote file URL. When the plugin processes this input, it includes and executes the attacker's code on the server, leading to remote code execution. The vulnerability affects all versions up to 2.0.9. The CVSS 3.1 base score is 7.5, reflecting network attack vector, high attack complexity, no privileges required, but user interaction is necessary. The impact covers confidentiality, integrity, and availability, as arbitrary code execution can lead to data theft, site defacement, or service disruption. Although no public exploits are currently documented, the nature of RFI vulnerabilities makes this a significant threat. The plugin is widely used in WooCommerce environments that support Pix payments, a popular payment method in Latin America, but also adopted by European merchants targeting Brazilian customers. The vulnerability stems from insufficient input validation and lack of secure coding practices around dynamic file inclusion. No official patches or mitigation links are currently available, indicating the need for immediate attention by site administrators.

For European organizations, especially e-commerce businesses using WooCommerce with the PoloPag Pix payment plugin, this vulnerability poses a critical risk. Successful exploitation can lead to full server compromise, data breaches involving customer payment information, and disruption of online sales operations. Given the plugin’s role in payment processing, attackers could manipulate transactions or steal sensitive financial data, violating GDPR and other data protection regulations. The attack requires user interaction, such as a crafted URL or request, which could be delivered via phishing or malicious links. The high attack complexity reduces the likelihood of widespread automated exploitation but targeted attacks against high-value merchants are plausible. The absence of known exploits currently provides a window for mitigation, but the vulnerability’s severity demands urgent remediation to prevent potential damage. Additionally, compromised servers could be used as pivot points for further attacks within corporate networks or for launching supply chain attacks.

1. Monitor PoloPag and WooCommerce official channels for security patches and apply updates immediately once available. 2. Until patches are released, disable or remove the PoloPag plugin if feasible, especially on production environments handling sensitive transactions. 3. Implement strict input validation and sanitization on all parameters that influence file inclusion or require/include statements. 4. Configure PHP settings to disable remote file inclusion (e.g., setting allow_url_include=Off in php.ini) to prevent inclusion of remote files. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities. 6. Restrict file system permissions to limit the web server’s ability to read or execute unauthorized files. 7. Conduct security audits and code reviews of custom or third-party plugins before deployment. 8. Educate users and administrators about phishing and social engineering tactics that could deliver malicious payloads requiring user interaction. 9. Maintain regular backups and incident response plans to recover quickly from potential compromises.