CVE-2025-60204 HIGH

CVE-2025-60204: WordPress WooCommerce Store Toolkit plugin <= 2.4.3 - Local File Inclusion vulnerability

Vendor Josh Kohlbach
Product WooCommerce Store Toolkit
Weakness CWE-98 · PHP file inclusion
Published November 6, 2025
Last update April 28, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion.This issue affects WooCommerce Store Toolkit: from n/a through <= 2.4.3.

Explanation of Vulnerability in Simple Terms

02Summary

WooCommerce Store Toolkit versions 2.4.3 and earlier contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service. The attack requires the victim to click a malicious link or visit a compromised page. The vulnerability stems from improper input handling in the plugin.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt the site's availability.

Potential impact on your site

04Site Impact

Your WooCommerce store's data, content, and availability could be compromised if users visit a malicious link.

Conditions required to exploit

05Prerequisites

Victim must click a malicious link or visit an attacker-controlled page.

Key dates

06Disclosure timeline

November 6, 2025 CVE published
April 28, 2026 Record updated