CVE-2025-60203 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP programs, specifically affecting the Josh Kohlbach Store Exporter plugin for WooCommerce (versions up to 2.7.6). This vulnerability allows an attacker to exploit a Local File Inclusion (LFI) flaw by manipulating the filename parameter used in PHP include or require statements. The flaw arises because the plugin does not properly validate or sanitize user-supplied input controlling which files are included, enabling attackers to specify arbitrary files on the server to be included and executed. The CVSS 3.1 base score is 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). Exploiting this vulnerability can lead to unauthorized disclosure of sensitive server files such as configuration files, source code, or credentials, compromising confidentiality. The vulnerability does not require authentication or user interaction, making it easier to exploit remotely. No known exploits are currently reported in the wild, but the potential impact and ease of exploitation make it a critical concern for affected users. The vulnerability was reserved on 2025-09-25 and published on 2025-11-06. No official patches or mitigations have been linked yet, so users must monitor vendor advisories closely. This vulnerability is particularly relevant for e-commerce sites using WooCommerce with the Store Exporter plugin, as it could expose sensitive business and customer data.

For European organizations, the impact of CVE-2025-60203 can be significant, especially for those operating e-commerce platforms using WooCommerce with the Store Exporter plugin. The primary risk is unauthorized disclosure of sensitive files on the web server, which may include customer data, payment information, internal configuration files, and proprietary business logic. This breach of confidentiality can lead to regulatory non-compliance under GDPR, resulting in legal penalties and reputational damage. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive information can facilitate further attacks such as credential theft, phishing, or lateral movement within the network. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and exploitation attempts. European organizations with limited patch management resources or those unaware of the vulnerability may be disproportionately affected. Additionally, the potential for data leaks can undermine customer trust and impact business continuity. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the threat landscape may evolve rapidly.

1. Immediate Actions: Monitor official vendor channels for patches or updates addressing this vulnerability and apply them promptly once available. 2. Input Validation: Implement strict input validation and sanitization on all parameters controlling file inclusion paths to prevent arbitrary file references. 3. Configuration Hardening: Restrict PHP include paths using open_basedir or disable allow_url_include directives to limit file inclusion to trusted directories only. 4. Web Application Firewall (WAF): Deploy and configure WAF rules to detect and block suspicious requests attempting to exploit LFI patterns, such as directory traversal or unexpected file extensions. 5. Access Controls: Limit access to the Store Exporter plugin interface and related endpoints to trusted IP addresses or authenticated users where possible. 6. Logging and Monitoring: Enable detailed logging of web server and application activities to detect anomalous file inclusion attempts and respond swiftly. 7. Backup and Incident Response: Maintain regular backups and prepare incident response plans to address potential data exposure or compromise. 8. Security Awareness: Educate development and operations teams about secure coding practices related to file inclusion and the risks of LFI vulnerabilities. These measures combined will reduce the attack surface and mitigate exploitation risks until official patches are released.