CVE-2025-60192 is a vulnerability categorized as 'Improper Control of Filename for Include/Require Statement in PHP Program,' commonly known as a PHP Remote File Inclusion (RFI) flaw, found in the Premmerce Wholesale Pricing plugin for WooCommerce. This plugin, widely used to manage wholesale pricing on WooCommerce-based e-commerce sites, improperly handles user-supplied input in PHP include or require statements, allowing an attacker to specify arbitrary files to be included and executed by the PHP interpreter. The vulnerability affects all versions up to 1.1.10. The flaw does not require authentication or user interaction, making it remotely exploitable over the network. Successful exploitation allows an attacker to execute arbitrary PHP code on the server, compromising the integrity of the system and potentially leading to full system compromise or further lateral movement within the network. The CVSS v3.1 base score is 7.5, indicating a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and an impact primarily on integrity. No known public exploits have been reported yet, but the vulnerability's characteristics make it a critical concern for any organization using this plugin. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the Premmerce Wholesale Pricing plugin, this vulnerability poses a significant risk. Exploitation can lead to arbitrary code execution, allowing attackers to alter pricing data, manipulate wholesale pricing logic, or inject malicious payloads that could compromise customer data or disrupt business operations. The integrity of pricing and transactional data is critical for trust and compliance with EU regulations such as GDPR. Additionally, compromised systems could be used as a foothold for further attacks within the corporate network, potentially affecting availability and confidentiality indirectly. The remote and unauthenticated nature of the exploit increases the attack surface, making it easier for threat actors to target vulnerable sites across Europe. The economic impact could be substantial due to potential financial fraud, reputational damage, and regulatory penalties.

Immediate mitigation steps include disabling the Premmerce Wholesale Pricing plugin until a security patch is released. Organizations should monitor vendor communications for official patches and apply them promptly once available. In the interim, implement strict input validation and sanitization on all user-supplied data that could influence file inclusion paths. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block attempts to exploit file inclusion vulnerabilities, such as blocking suspicious URL parameters or payloads containing remote file paths. Conduct thorough code reviews and security audits of customizations related to this plugin. Additionally, ensure that PHP configurations disable remote file inclusion (e.g., setting 'allow_url_include' to 'Off') and restrict file permissions to minimize the impact of potential exploitation. Regularly back up website data and maintain incident response plans tailored for web application compromises.