PHP Remote File Inclusion Vulnerability in WooCommerce Store Toolkit by Josh Kohlbach
CVE-2025-60204

7.5HIGH

Key Information:

Vendor: WordPress
Status: WooCommerce Store Toolkit
Vendor: CVE Published:; 6 November 2025

What is CVE-2025-60204?

The WooCommerce Store Toolkit, developed by Josh Kohlbach, contains a vulnerability allowing improper control over filenames during include or require statements. This flaw may permit attackers to achieve PHP Local File Inclusion, compromising the security of the affected WordPress installations. The vulnerability impacts all versions up to 2.4.3, highlighting the need for users to update and secure their systems to prevent unauthorized access and data breaches.

Affected Version(s)

WooCommerce Store Toolkit <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/wooc...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2025
Vulnerability Reserved
Sep 25, 2025

Credit

LVT-tholv2k | Patchstack Bug Bounty Program

JSON