CVE-2025-60191 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement in PHP Program,' commonly known as a PHP Local File Inclusion (LFI) flaw, found in the Premmerce Wishlist for WooCommerce plugin (versions up to and including 1.1.10). This vulnerability arises because the plugin fails to properly validate or sanitize user-supplied input that controls the filename parameter in PHP include or require statements. As a result, an attacker can manipulate the input to include arbitrary files from the local filesystem of the web server. This can lead to remote code execution if the attacker can include files containing malicious PHP code or sensitive information disclosure if arbitrary files are read. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting a high severity level due to the ease of exploitation (network vector, low attack complexity), no privileges required, and a significant impact on integrity (code execution or modification). No known public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a serious risk for affected installations. The plugin is widely used in WooCommerce environments, which power many e-commerce websites globally, including in Europe. The flaw specifically affects the Premmerce Wishlist for WooCommerce plugin, which is used to add wishlist functionality to WooCommerce stores, making it a critical concern for online retailers relying on this plugin for customer engagement and sales.

For European organizations, especially e-commerce businesses using WooCommerce with the Premmerce Wishlist plugin, this vulnerability poses a significant risk. Exploitation could allow attackers to execute arbitrary PHP code on the web server, leading to full compromise of the affected web application. This can result in unauthorized modification of website content, theft of customer data, insertion of malicious scripts (e.g., for phishing or malware distribution), and disruption of business operations. The integrity of the web platform is directly threatened, potentially damaging brand reputation and customer trust. Given the widespread use of WooCommerce in Europe, particularly in countries with mature e-commerce markets such as Germany, the UK, France, and the Netherlands, the impact could be substantial. Additionally, compromised e-commerce sites may be used as pivot points for further attacks within corporate networks or to launch supply chain attacks. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation if unpatched.

1. Immediate action should be to monitor for and apply any official patches or updates released by Premmerce addressing this vulnerability. 2. If no patch is available, implement manual code review and remediation by ensuring all inputs controlling include/require statements are strictly validated and sanitized to allow only expected filenames or paths. 3. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities, such as suspicious URL parameters or payloads attempting directory traversal. 4. Restrict PHP file inclusion paths using PHP configuration directives like open_basedir to limit accessible directories. 5. Conduct thorough security audits and penetration testing on WooCommerce installations to detect any signs of exploitation or other vulnerabilities. 6. Educate development and operations teams about secure coding practices related to file inclusion and input validation. 7. Maintain regular backups and incident response plans to quickly recover from potential compromises. 8. Monitor logs for unusual access patterns or errors related to file inclusion attempts.