CVE-2025-60240 HIGH

CVE-2025-60240: WordPress AnyComment plugin <= 0.3.6 - Local File Inclusion vulnerability

Vendor Alexander
Product AnyComment
Weakness CWE-98 · PHP file inclusion
Published November 6, 2025
Last update April 28, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.This issue affects AnyComment: from n/a through <= 0.3.6.

Explanation of Vulnerability in Simple Terms

02Summary

AnyComment versions 0.3.6 and earlier contain a code injection vulnerability that allows attackers to execute arbitrary code on affected sites. The vulnerability requires user interaction—typically a victim must click a malicious link or visit a crafted page. An attacker with no prior authentication can exploit this to read sensitive data, modify site content, or disrupt service.

What an attacker can do

03Attacker Capabilities

Execute arbitrary code on the site, read sensitive data, modify content, or cause service disruption.

Potential impact on your site

04Site Impact

An attacker can run malicious code on your site without needing a user account, potentially compromising your entire installation.

Conditions required to exploit

05Prerequisites

No authentication required, but the victim must click a link or visit a page controlled by the attacker.

Key dates

06Disclosure timeline

November 6, 2025 CVE published
April 28, 2026 Record updated