CVE-2025-60190 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement in PHP Program,' commonly referred to as a Remote File Inclusion (RFI) flaw, found in the Immocaster WordPress plugin developed by Hinnerk Altenburg. This plugin, used primarily in real estate website contexts, suffers from insufficient validation or sanitization of user-supplied input that controls the filename parameter in PHP's include or require statements. As a result, an attacker can craft a malicious request that causes the plugin to include and execute remote PHP files under the attacker's control. This leads to remote code execution (RCE), allowing attackers to run arbitrary code on the web server without authentication. The vulnerability affects all versions up to and including 1.3.6. The CVSS v3.1 base score is 8.1, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact on confidentiality and integrity is high, while availability is not affected. No known public exploits have been reported yet, but the nature of RFI vulnerabilities makes them attractive targets for attackers aiming to compromise WordPress sites. The vulnerability was reserved in late September 2025 and published in early November 2025. No official patches or mitigation links are currently provided, emphasizing the need for immediate attention from site administrators.

For European organizations, especially those operating real estate websites or other services using the Immocaster WordPress plugin, this vulnerability poses a significant risk. Successful exploitation can lead to full compromise of the web server hosting the plugin, enabling attackers to steal sensitive data, modify website content, or pivot to internal networks. The confidentiality of customer data and business information is at high risk, as is the integrity of the website content and backend systems. While availability is not directly impacted, the potential for defacement or malware hosting could indirectly disrupt services and damage reputation. Given the widespread use of WordPress across Europe and the plugin's niche in real estate, organizations in this sector are particularly vulnerable. The requirement for user interaction (e.g., clicking a crafted link) slightly reduces exploitation likelihood but does not eliminate risk, especially in phishing-prone environments. The absence of known exploits in the wild currently offers a window for proactive defense, but the high CVSS score and ease of exploitation suggest attackers may soon develop weaponized payloads.

1. Immediately audit all WordPress sites for the presence of the Immocaster plugin and identify versions in use. 2. Apply any available patches or updates from the vendor as soon as they are released; if no patch is available, consider temporarily disabling or removing the plugin. 3. Implement strict input validation and sanitization on any user-supplied parameters controlling file inclusion paths, ideally restricting includes to a whitelist of local files. 4. Deploy Web Application Firewalls (WAFs) with rules designed to detect and block attempts to exploit RFI vulnerabilities, including suspicious URL patterns and payloads. 5. Monitor web server logs for unusual requests attempting to include remote files or access unexpected URLs. 6. Educate users and administrators about phishing risks to reduce the likelihood of user interaction with malicious links. 7. Consider isolating WordPress instances in segmented network zones to limit lateral movement if compromise occurs. 8. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 9. Engage in threat intelligence sharing with industry peers to stay informed about emerging exploits targeting this vulnerability.