CVE-2025-60153: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-60153) was discovered in the WordPress Subscribe To Unlock plugin affecting versions through 1.1.5. The vulnerability was initially reported on June 6, 2025, and publicly disclosed on September 26, 2025. The security issue was identified by researcher João Pedro S Alcântara (Kinorth) (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion), identified as CWE-98. It received a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor-level privileges or higher to exploit (Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially expose sensitive information, including database credentials, which might lead to a complete database takeover depending on the system configuration (Patchstack).

As of the disclosure date, no official fix has been made available for this vulnerability. The issue affects versions up to and including 1.1.5 of the Subscribe To Unlock plugin (Patchstack).