CVE-2025-60193 is a vulnerability identified in the Premmerce User Roles plugin for WordPress, specifically versions up to and including 1.0.13. The issue arises from improper control of filenames used in PHP include or require statements, leading to a Local File Inclusion (LFI) vulnerability. LFI vulnerabilities allow attackers to trick the application into including files from the local filesystem, which can lead to arbitrary code execution if the attacker can control or influence the included file content. This vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the ease of exploitation (network vector, low attack complexity), no privileges required, and the impact on integrity (code execution). Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to websites using the affected plugin. The Premmerce User Roles plugin is used to manage user roles and capabilities in WordPress e-commerce environments, making it a critical component for access control. Attackers exploiting this vulnerability could execute arbitrary PHP code, potentially leading to full site compromise, data manipulation, or pivoting to other internal systems. The vulnerability was published on November 6, 2025, with the issue reserved on September 25, 2025. No official patches or mitigation links are currently provided, indicating the need for immediate attention by site administrators.

For European organizations, especially those operating e-commerce websites on WordPress using the Premmerce User Roles plugin, this vulnerability presents a significant risk. Successful exploitation can lead to unauthorized code execution, compromising the integrity of the website and potentially exposing sensitive customer data or business logic. This can result in reputational damage, financial loss, and regulatory penalties under GDPR due to data breaches. Additionally, attackers could leverage the compromised site as a foothold for further attacks within the network, increasing the scope of impact. Given the plugin’s role in managing user permissions, attackers might escalate privileges or bypass access controls, exacerbating the damage. The lack of required authentication and user interaction increases the likelihood of automated exploitation attempts, raising the urgency for European organizations to act promptly. The threat is particularly critical for sectors with high online transaction volumes and sensitive data, such as retail, finance, and healthcare.

1. Monitor official Premmerce channels for patches or updates addressing CVE-2025-60193 and apply them immediately upon release. 2. In the interim, restrict PHP include paths by configuring the server’s open_basedir directive to limit accessible directories, reducing the risk of arbitrary file inclusion. 3. Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block LFI attack patterns, such as suspicious URL parameters or directory traversal sequences. 4. Conduct code reviews and audits of the Premmerce User Roles plugin usage to identify and remediate any unsafe dynamic file inclusion practices. 5. Disable or remove the plugin if it is not essential to reduce the attack surface. 6. Implement strict file permissions on the web server to prevent unauthorized file modifications. 7. Monitor web server logs for unusual requests that may indicate exploitation attempts. 8. Educate development and security teams about secure coding practices related to file inclusion and input validation to prevent similar vulnerabilities in custom code.