CVE-2025-60189 is a Remote File Inclusion (RFI) vulnerability found in the PoloPag – Pix Automático para Woocommerce plugin, a payment integration tool for WooCommerce. The vulnerability arises from improper control over the filename used in PHP include or require statements, allowing an attacker to supply a malicious remote file path. This can lead to arbitrary code execution on the server, enabling attackers to compromise the confidentiality, integrity, and availability of the affected system. The vulnerability affects versions up to and including 2.0.9. The CVSS 3.1 score is 7.5, indicating high severity, with attack vector network (AV:N), attack complexity high (AC:H), no privileges required (PR:N), user interaction required (UI:R), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known, the nature of RFI vulnerabilities makes them attractive targets for attackers aiming to execute remote code, deploy backdoors, or pivot within compromised networks. The plugin’s role in processing payments in WooCommerce environments increases the risk, as successful exploitation could lead to theft of payment data, disruption of e-commerce operations, and broader network compromise. The vulnerability was reserved in late September 2025 and published in early November 2025, indicating recent discovery and disclosure. No official patches or mitigations have been linked yet, emphasizing the need for proactive defensive measures.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the PoloPag plugin, this vulnerability poses a significant risk. Exploitation could lead to unauthorized remote code execution, allowing attackers to steal sensitive customer payment information, manipulate transaction data, or disrupt online sales operations. This could result in financial losses, reputational damage, regulatory penalties under GDPR due to data breaches, and operational downtime. The high attack complexity and requirement for user interaction somewhat limit mass exploitation but do not eliminate targeted attacks, particularly against high-value targets such as large retailers or financial service providers. The impact on availability could disrupt critical payment processing, affecting business continuity. Furthermore, compromised systems could be used as footholds for lateral movement within corporate networks, increasing the scope of damage.

1. Immediately monitor for updates or patches from PoloPag and apply them as soon as they become available. 2. Until patched, restrict the plugin’s ability to include remote files by disabling allow_url_include and allow_url_fopen in PHP configurations. 3. Implement strict input validation and sanitization on any parameters controlling file inclusion to prevent injection of malicious paths. 4. Use web application firewalls (WAFs) with rules designed to detect and block RFI attempts targeting PHP include/require functions. 5. Conduct regular security audits and code reviews of custom WooCommerce plugins and integrations. 6. Limit the plugin’s file system permissions to the minimum necessary to reduce potential damage from exploitation. 7. Educate users and administrators about phishing or social engineering tactics that might trigger the required user interaction for exploitation. 8. Employ network segmentation to isolate e-commerce systems from critical internal infrastructure. 9. Monitor logs for unusual file inclusion requests or errors indicating attempted exploitation. 10. Prepare incident response plans specifically addressing web application compromise scenarios.