CVE-2025-60203 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement' in the Josh Kohlbach Store Exporter plugin for WooCommerce, identified as a PHP Local File Inclusion (LFI) flaw. This vulnerability arises because the plugin improperly validates or sanitizes user-supplied input used in PHP include or require statements, allowing an attacker to manipulate the filename parameter to include arbitrary local files on the server. Exploiting this vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The attacker can leverage this flaw to read sensitive files such as configuration files, password files, or other critical data stored on the server, thereby compromising confidentiality. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects all versions of the Store Exporter plugin up to 2.7.6. Although no public exploits are currently known, the nature of LFI vulnerabilities often leads to further exploitation, including code execution or privilege escalation, if combined with other vulnerabilities. The issue was reserved in late September 2025 and published in early November 2025, with no patch links currently available, indicating that organizations must be vigilant and apply mitigations proactively.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data managed through WooCommerce stores using the affected Store Exporter plugin. Attackers exploiting this flaw can access configuration files, database credentials, or other sensitive information, potentially leading to data breaches or further compromise of the web server. Given the widespread use of WooCommerce in Europe, especially in countries with mature e-commerce markets like Germany, the UK, France, and the Netherlands, the impact could be substantial. Compromised stores could suffer reputational damage, regulatory penalties under GDPR for data exposure, and financial losses. The vulnerability does not directly affect integrity or availability but can serve as a stepping stone for more severe attacks. The lack of authentication requirements and user interaction means attackers can scan and exploit vulnerable endpoints at scale, increasing the threat landscape for European e-commerce businesses.

1. Immediately audit all WooCommerce installations to identify the presence and version of the Store Exporter plugin. 2. Apply vendor-provided patches as soon as they become available; monitor official channels for updates. 3. In the absence of patches, implement web application firewall (WAF) rules to block suspicious requests attempting to manipulate include/require parameters, especially those containing directory traversal sequences or unexpected file extensions. 4. Restrict PHP include paths using open_basedir or similar PHP configuration directives to limit accessible directories. 5. Disable or restrict the Store Exporter plugin if it is not essential to business operations until a patch is applied. 6. Conduct regular security scans and monitor web server logs for anomalous file inclusion attempts. 7. Educate development and operations teams about secure coding practices to prevent similar vulnerabilities in custom plugins or themes. 8. Consider employing runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real time.