CVE-2025-60190 is a Remote File Inclusion (RFI) vulnerability found in the Immocaster WordPress plugin developed by Hinnerk Altenburg, affecting versions up to and including 1.3.6. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to specify a remote file to be included and executed by the server. This can lead to arbitrary code execution, enabling attackers to compromise the confidentiality and integrity of the affected web server and potentially pivot to other internal systems. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), such as visiting a crafted URL or triggering a specific request. The CVSS v3.1 base score is 8.1, indicating a high severity level, with network attack vector (AV:N), low attack complexity (AC:L), and no privileges required. Although no known exploits are currently reported in the wild, the nature of RFI vulnerabilities makes them attractive targets for attackers aiming to deploy web shells, steal sensitive data, or deface websites. Immocaster is a plugin used primarily for real estate listings on WordPress sites, which are common in European markets. The lack of available patches at the time of disclosure increases the urgency for mitigation. The vulnerability's impact is limited to the plugin's presence and usage, but given WordPress's widespread adoption, the attack surface is significant. The flaw can be exploited remotely, making it a critical concern for organizations relying on this plugin for their online real estate services.

For European organizations, especially those operating real estate websites using the Immocaster plugin, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized remote code execution, allowing attackers to access sensitive client data, modify website content, or deploy malware. This compromises confidentiality and integrity, potentially damaging organizational reputation and violating data protection regulations such as GDPR. The availability impact is minimal but could occur if attackers deface or disrupt the website. Given the plugin's niche use in real estate, sectors heavily reliant on online property listings in Europe—such as Germany, France, the UK, and the Netherlands—are at higher risk. Attackers could leverage this vulnerability to gain footholds in corporate networks or conduct further attacks. The lack of authentication requirements lowers the barrier for exploitation, increasing the threat level. Additionally, the vulnerability could be exploited as part of broader campaigns targeting WordPress ecosystems in Europe, where WordPress holds a dominant market share.

Immediate mitigation steps include updating the Immocaster plugin to a patched version once available. Until a patch is released, organizations should consider disabling or removing the plugin to eliminate the attack vector. Implement strict input validation and sanitization on any parameters that influence file inclusion paths to prevent remote file references. Employ Web Application Firewalls (WAFs) configured to detect and block suspicious file inclusion attempts and anomalous HTTP requests targeting the plugin's endpoints. Monitor web server logs for unusual access patterns or attempts to include remote files. Restrict outbound HTTP requests from the web server to prevent fetching malicious remote files. Conduct regular security audits of WordPress plugins and maintain an inventory of installed plugins to quickly identify vulnerable components. Educate website administrators about the risks of installing unverified plugins and the importance of timely updates. Finally, implement least privilege principles for web server processes to limit the impact of potential code execution.