CVE-2025-60193
📋 TL;DR
This CVE describes a PHP Local File Inclusion vulnerability in the Premmerce User Roles WordPress plugin. Attackers can exploit improper filename control in include/require statements to read sensitive files on the server. WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Premmerce User Roles WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through reading sensitive files like /etc/passwd, database credentials, or executing arbitrary code via PHP wrappers.
Likely Case
Information disclosure of sensitive server files, potentially leading to credential theft or further exploitation.
If Mitigated
Limited impact if file permissions are restrictive and PHP configurations disable dangerous functions.
🎯 Exploit Status
Local File Inclusion vulnerabilities are commonly exploited and tooling exists for automated exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.0.13
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Premmerce User Roles' and update to latest version. 4. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate premmerce-user-roles
Restrict PHP File Functions
allConfigure PHP to disable dangerous functions and restrict file access.
Add to php.ini: disable_functions = allow_url_fopen,allow_url_include
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block LFI patterns
- Restrict file system permissions and implement strict access controls
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Premmerce User Roles version. If version is 1.0.13 or lower, system is vulnerable.Check Version:
wp plugin get premmerce-user-roles --field=versionVerify Fix Applied:
Verify plugin version is higher than 1.0.13 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in PHP error logs
- HTTP requests with suspicious file path parameters
Network Indicators:
- HTTP requests containing file path traversal patterns (../, /etc/passwd, etc.)
SIEM Query:
web_access_logs WHERE url CONTAINS 'premmerce-user-roles' AND (url CONTAINS '../' OR url CONTAINS '/etc/' OR url CONTAINS 'php://')