CVE-2025-60202 identifies a vulnerability in the Kyle Phillips Favorites PHP application, specifically related to improper control over filenames used in include or require statements. This flaw allows an attacker to exploit Local File Inclusion (LFI), a type of vulnerability where an attacker can trick the application into including files from the local filesystem. The vulnerability arises because the application does not adequately validate or sanitize user-supplied input that determines which files are included, enabling an attacker to specify arbitrary files. The CVSS 3.1 base score of 7.5 reflects the vulnerability's characteristics: it is remotely exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality (C:H) without affecting integrity or availability. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component. Exploiting this vulnerability can lead to unauthorized disclosure of sensitive files such as configuration files, password stores, or source code, which can further facilitate additional attacks. The affected product versions are up to 2.3.6, with no patch links currently provided, indicating that organizations must be vigilant and apply mitigations proactively. No known exploits have been reported in the wild yet, but the vulnerability's nature and ease of exploitation make it a high-risk issue. The vulnerability was reserved in late September 2025 and published in early November 2025, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a significant risk to confidentiality, particularly for entities running the Kyle Phillips Favorites PHP application on their web servers. Successful exploitation can lead to exposure of sensitive internal files, including credentials, configuration data, or proprietary information, potentially resulting in data breaches and compliance violations under GDPR. Public sector organizations, financial institutions, and healthcare providers are especially vulnerable due to the sensitivity of their data. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Additionally, the vulnerability could be leveraged as a foothold for further attacks, such as privilege escalation or lateral movement within networks. The impact extends to reputational damage and potential legal consequences for failure to protect personal data. Given the widespread use of PHP in European web infrastructure, organizations using this product or similar PHP-based applications should consider this a critical threat.

Organizations should immediately audit their use of the Kyle Phillips Favorites application and identify affected versions (up to 2.3.6). Until an official patch is released, implement strict input validation and sanitization on any parameters controlling file inclusion to prevent arbitrary file paths. Employ web application firewalls (WAFs) with rules designed to detect and block LFI attack patterns. Restrict PHP include paths to trusted directories using configuration directives such as open_basedir. Disable unnecessary PHP functions like include, require, or allow_url_include if not needed. Monitor web server logs for suspicious requests attempting to access sensitive files or unusual URL parameters. Conduct regular security assessments and penetration tests focusing on file inclusion vulnerabilities. When a patch becomes available, prioritize its deployment in all affected environments. Additionally, implement network segmentation to limit the impact of potential breaches and ensure backups are maintained securely to enable recovery if exploitation occurs.