CVE-2025-60200 is a Remote File Inclusion (RFI) vulnerability found in the ThimPress LearnPress Export Import plugin, specifically in versions up to 4.0.9. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements. This flaw permits an attacker to supply a crafted filename parameter that causes the application to include and execute remote PHP files. Exploiting this vulnerability does not require authentication or user interaction and can be performed remotely over the network. The CVSS v3.1 score of 7.5 reflects a high severity, primarily due to the vulnerability's ability to compromise confidentiality by exposing sensitive data or configuration files. However, the vulnerability does not directly affect integrity or availability. The lack of known exploits in the wild suggests it is either newly disclosed or under limited exploitation. The vulnerability affects LearnPress Export Import, a plugin commonly used in WordPress-based e-learning platforms to facilitate course content export and import. The improper control of file inclusion paths is a classic PHP security issue that can lead to code execution or data leakage if exploited. The vulnerability was reserved in late September 2025 and published in early November 2025, indicating recent discovery and disclosure. No official patches or updates are linked yet, so users must apply mitigations proactively.

For European organizations, especially those relying on WordPress-based e-learning solutions, this vulnerability poses a significant risk of data exposure. Attackers can remotely include malicious files, potentially accessing sensitive educational content, user data, or configuration files. Although the vulnerability does not directly enable code execution or system disruption, the confidentiality breach can lead to further attacks, including phishing or lateral movement. The impact is heightened in sectors like education, government, and corporate training, where LearnPress is deployed. Data protection regulations such as GDPR increase the stakes, as data leaks could result in regulatory penalties and reputational damage. The ease of exploitation without authentication means attackers can scan and target vulnerable sites en masse. Additionally, the lack of user interaction requirement facilitates automated exploitation campaigns. Organizations with limited security monitoring or outdated plugin versions are particularly vulnerable. The absence of known exploits in the wild provides a window for proactive defense but should not lead to complacency.

1. Immediately update the LearnPress Export Import plugin to a patched version once available from ThimPress. 2. Until a patch is released, disable remote file inclusion in PHP by setting 'allow_url_include=Off' in the php.ini configuration. 3. Implement strict input validation and sanitization on any parameters controlling file inclusion paths within the plugin or custom code. 4. Use web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities. 5. Restrict file system permissions to prevent unauthorized reading or execution of files outside intended directories. 6. Monitor web server logs for unusual requests containing suspicious filename parameters or remote URLs. 7. Conduct regular vulnerability scans focusing on WordPress plugins, especially those related to e-learning. 8. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates. 9. Consider isolating the LearnPress plugin environment or using containerization to limit potential damage. 10. Review and audit all custom code interacting with file inclusion functions to ensure secure coding practices.