CVE-2025-60200 is a Remote File Inclusion (RFI) vulnerability found in the ThimPress LearnPress Export Import plugin for WordPress, affecting versions up to 4.0.9. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to specify a remote file to be included and executed by the server. This can lead to unauthorized disclosure of sensitive information, as the attacker can load arbitrary PHP code hosted remotely. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, increasing its risk profile. The CVSS 3.1 base score is 7.5, reflecting high impact on confidentiality but no direct impact on integrity or availability. Although no known exploits are currently reported in the wild, the nature of RFI vulnerabilities makes them attractive targets for attackers seeking to gain unauthorized access or execute malicious code. The plugin is commonly used in e-learning platforms to export and import course data, making educational institutions and organizations relying on LearnPress potentially vulnerable. The lack of vendor patches at the time of publication necessitates immediate mitigation through alternative controls such as input validation and web application firewall rules. Monitoring for anomalous file inclusion attempts and restricting outgoing HTTP requests from the web server can also reduce exploitation risk.

The primary impact of CVE-2025-60200 is the unauthorized disclosure of sensitive information due to remote file inclusion. Attackers can potentially execute arbitrary PHP code by including malicious remote files, which could lead to data leakage or further compromise of the affected system. For European organizations, particularly those in education and e-learning sectors using LearnPress Export Import, this vulnerability could expose student data, course materials, and internal configurations. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach can have regulatory consequences under GDPR, including fines and reputational damage. The ease of exploitation without authentication or user interaction increases the likelihood of attacks. Additionally, compromised servers could be used as pivot points for lateral movement within networks, amplifying the threat. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity score indicates urgent attention is required to prevent potential exploitation.

1. Apply official patches from ThimPress as soon as they become available to address the vulnerability directly. 2. Until patches are released, implement strict input validation and sanitization on any parameters controlling file inclusion to prevent remote URLs or unexpected inputs. 3. Configure web application firewalls (WAFs) to detect and block attempts to include remote files or suspicious URL patterns in requests targeting the LearnPress Export Import plugin. 4. Restrict outbound HTTP/HTTPS requests from the web server to prevent the server from fetching malicious remote files. 5. Monitor server logs for unusual include or require statements and anomalous network traffic indicative of exploitation attempts. 6. Limit plugin usage to trusted administrators and restrict access to export/import functionalities. 7. Conduct security audits and penetration tests focusing on file inclusion vulnerabilities in WordPress environments. 8. Educate IT and security teams about the risks of RFI vulnerabilities and ensure timely patch management processes are in place.