CVE-2025-60150: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-60150) was discovered in the WordPress Subscribe to Download plugin affecting versions through 2.0.9. The vulnerability was reported by João Pedro S Alcântara (Kinorth) on June 5, 2025, and was publicly disclosed on September 26, 2025. The issue is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability requires Contributor or higher level privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

As of the latest reports, no official fix is available for this vulnerability. The issue affects versions up to and including 2.0.9 of the Subscribe to Download plugin (Patchstack).