CVE-2025-60202 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement' in the PHP program 'Kyle Phillips Favorites,' specifically affecting versions up to 2.3.6. This vulnerability allows remote attackers to exploit a Local File Inclusion (LFI) flaw by manipulating the filename parameter used in include or require statements within the PHP code. The flaw arises because the application fails to properly validate or sanitize user-supplied input that determines which files are included during execution. As a result, an attacker can craft a request that causes the application to include arbitrary files from the local filesystem. This can lead to disclosure of sensitive information such as configuration files, source code, or other data stored on the server. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality (C:H) with no impact on integrity or availability (I:N/A:N). Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a prime candidate for exploitation by attackers seeking to gather sensitive information or prepare for further attacks. The vulnerability was published on November 6, 2025, with the initial reservation date on September 25, 2025. No patches or fixes are linked in the provided data, indicating that affected organizations must seek updates from the vendor or implement mitigations themselves.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data hosted on web servers running the affected Kyle Phillips Favorites PHP application. Attackers can remotely access and read arbitrary files on the server without authentication, potentially exposing credentials, internal configuration files, or proprietary information. This can lead to further compromise, such as privilege escalation or lateral movement within the network. The lack of impact on integrity and availability means the system's operation and data modification are not directly threatened, but the breach of confidentiality alone can have severe regulatory and reputational consequences, especially under GDPR. Organizations relying on this software for web content or user data management should consider the risk of data leakage and potential compliance violations. The absence of known exploits currently provides a window for proactive mitigation, but the ease of exploitation and high impact necessitate urgent attention.

1. Immediately check for and apply any official patches or updates released by Kyle Phillips addressing this vulnerability. 2. If patches are not yet available, implement strict input validation and sanitization on all parameters that influence file inclusion, ensuring only expected filenames or whitelisted paths are accepted. 3. Configure the PHP environment to disable dangerous functions such as 'allow_url_include' and restrict 'include_path' to trusted directories only. 4. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit LFI vulnerabilities, including suspicious traversal sequences or unusual file inclusion patterns. 5. Conduct thorough code reviews to identify and remediate any other insecure file inclusion practices within the application. 6. Monitor web server and application logs for anomalous requests that may indicate exploitation attempts. 7. Segment and isolate web servers to limit the impact of any potential breach. 8. Educate development and operations teams about secure coding practices related to file inclusion and input handling. These steps go beyond generic advice by focusing on environment hardening, proactive detection, and secure coding tailored to this specific vulnerability.