CVE-2025-60200 is a vulnerability identified in the ThimPress LearnPress Export Import plugin, a WordPress extension used for managing course content export and import in e-learning environments. The flaw arises from improper control over the filename parameter used in PHP include or require statements, enabling an attacker to perform Local File Inclusion (LFI). This means an attacker can manipulate the input to include arbitrary files from the server's filesystem, potentially exposing sensitive information such as configuration files, credentials, or source code. The vulnerability affects all versions up to and including 4.0.9. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the vulnerability's remote exploitability without authentication or user interaction, and its impact on confidentiality. The attack vector is network-based, with low attack complexity and no privileges required. While no integrity or availability impacts are noted, the confidentiality breach can lead to further attacks or data leaks. No public exploits have been reported yet, but the presence of this vulnerability in a widely used WordPress plugin makes it a significant risk, especially for organizations relying on LearnPress for their e-learning platforms. The vulnerability was reserved in late September 2025 and published in early November 2025, indicating recent discovery and disclosure.

For European organizations, especially those in education, training, and e-learning sectors using WordPress with the LearnPress Export Import plugin, this vulnerability poses a significant risk of sensitive data exposure. Confidentiality breaches could lead to leakage of user data, course materials, or internal configuration files, potentially resulting in reputational damage, regulatory non-compliance (e.g., GDPR violations), and facilitation of subsequent attacks such as privilege escalation or remote code execution. Since the vulnerability requires no authentication and can be exploited remotely, any publicly accessible WordPress site with the affected plugin is at risk. This could impact universities, vocational training providers, and corporate training platforms across Europe. The lack of integrity or availability impact limits direct disruption but does not diminish the severity of data exposure. The absence of known exploits in the wild currently reduces immediate risk but does not preclude rapid exploitation following public disclosure.

Organizations should immediately inventory their WordPress installations to identify the presence of the LearnPress Export Import plugin and verify its version. Until an official patch is released by ThimPress, administrators should consider disabling or removing the plugin to eliminate exposure. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting to manipulate include/require parameters. Restrict PHP file inclusion paths via server configuration to prevent inclusion of arbitrary files outside designated directories. Monitor server and application logs for unusual file inclusion attempts or anomalous access patterns. Educate site administrators on the risks of installing unverified plugins and enforce strict update policies. Once a patch is available, prioritize its deployment and validate the fix in a test environment before production rollout. Additionally, conduct regular security assessments and vulnerability scans focusing on WordPress plugins to detect similar issues proactively.