The vulnerability identified as CVE-2025-60207 affects the Addify Custom User Registration Fields plugin for WooCommerce, versions up to and including 2.1.2. This plugin allows users to add custom fields during user registration on WooCommerce-powered websites. The flaw permits unrestricted upload of files with dangerous types, including executable web shells, without any authentication or user interaction required. This means an unauthenticated attacker can upload malicious files directly to the web server, leading to remote code execution (RCE). The vulnerability arises from insufficient validation and filtering of uploaded files, allowing attackers to bypass restrictions and place arbitrary files on the server. The CVSS score of 10.0 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change that impacts confidentiality, integrity, and availability at a high level. Exploitation could lead to full system compromise, data theft, defacement, or service disruption. Although no public exploits are currently known, the vulnerability's characteristics make it highly exploitable. The plugin is widely used in WooCommerce environments, which power many e-commerce sites globally, increasing the potential attack surface.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the Addify plugin, this vulnerability poses a severe risk. Successful exploitation can lead to unauthorized access to sensitive customer data, including personal and payment information, resulting in data breaches and regulatory non-compliance under GDPR. The integrity of the website and backend systems can be compromised, enabling attackers to alter product listings, prices, or inject malicious content that harms brand reputation. Availability may also be affected if attackers deploy ransomware or disrupt services, leading to financial losses and customer trust erosion. The critical nature of the vulnerability means that attackers can operate remotely without authentication, increasing the likelihood of widespread exploitation. Organizations in Europe face potential legal and financial consequences due to data protection laws and the high value of e-commerce infrastructure as a target for cybercriminals.

Immediate mitigation steps include disabling the Addify Custom User Registration Fields plugin until a security patch is released. Organizations should monitor vendor communications for updates and apply patches promptly once available. In the interim, implement strict file upload restrictions by configuring web application firewalls (WAFs) to block uploads of executable or script file types such as .php, .jsp, .asp, and others. Employ server-side validation and sanitization of uploaded files to ensure only safe file types are accepted. Restrict upload directories from executing scripts by configuring appropriate permissions and disabling execution rights. Conduct regular security audits and monitor logs for unusual upload activity or web shell indicators. Additionally, implement network segmentation to limit the impact of potential compromises and maintain up-to-date backups to enable recovery in case of an incident. Educate development and security teams about secure coding practices related to file uploads to prevent similar vulnerabilities.