CVE-2025-60087 Overview
CVE-2025-60087 is a Local File Inclusion (LFI) vulnerability affecting the Extensive VC Addons plugin for WPBakery page builder, a popular WordPress plugin developed by Nenad Obradovic. The vulnerability stems from improper control of filename parameters used in PHP include/require statements, classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program).
This security flaw allows attackers to manipulate file inclusion paths, potentially enabling them to include arbitrary local files from the server. Successful exploitation could lead to disclosure of sensitive configuration files, source code exposure, and in certain conditions, remote code execution through log poisoning or other chained attack techniques.
Critical Impact
Unauthenticated attackers can potentially include arbitrary local files on vulnerable WordPress installations, leading to sensitive information disclosure, configuration exposure, and possible remote code execution through chained attacks.
Affected Products
- Extensive VC Addons for WPBakery page builder versions through 1.9.1
- WordPress sites using the extensive-vc-addon plugin
Discovery Timeline
- 2026-02-20 - CVE-2025-60087 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2025-60087
Vulnerability Analysis
This vulnerability is categorized as a PHP Local File Inclusion (LFI) issue, where the plugin fails to properly sanitize or validate user-supplied input before using it in PHP include or require statements. The attack vector is network-based and requires no authentication or user interaction, though it has a higher attack complexity due to the conditions required for successful exploitation.
When exploited, an attacker can manipulate file path parameters to traverse directories and include sensitive files from the web server. This can expose critical system files such as /etc/passwd, WordPress configuration files containing database credentials (wp-config.php), or other sensitive application data.
The vulnerability's impact extends across all three security pillars: confidentiality, integrity, and availability—each rated as high impact. This means successful exploitation could allow attackers to read sensitive data, modify application behavior by including malicious files, and potentially crash or disrupt the service.
Root Cause
The root cause lies in the plugin's improper handling of filename parameters passed to PHP's include() or require() functions. The plugin fails to implement adequate input validation, path canonicalization, or whitelist-based filtering of allowable file paths. This allows attackers to inject directory traversal sequences (such as ../) or absolute paths to access files outside the intended directory scope.
CWE-98 specifically addresses this pattern where PHP programs accept user input that influences which files are included in the execution context, without proper sanitization to prevent malicious path manipulation.
Attack Vector
The attack is executed remotely over the network without requiring authentication. An attacker can craft malicious HTTP requests containing manipulated file path parameters targeting vulnerable plugin endpoints. Common exploitation techniques include:
- Directory traversal using sequences like ../../../ to escape the web root
- Including WordPress configuration files to obtain database credentials
- Accessing system files to enumerate server configuration
- Log file inclusion (log poisoning) combined with injected PHP code for remote code execution
The vulnerability can be exploited through standard HTTP requests to the WordPress installation, making it accessible to any network attacker who can reach the target site.
Detection Methods for CVE-2025-60087
Indicators of Compromise
- Unusual HTTP requests containing directory traversal patterns (../, ..%2f, ..%252f) targeting plugin endpoints
- Web server logs showing requests for sensitive files like /etc/passwd or wp-config.php through plugin parameters
- Error logs indicating failed file inclusion attempts or path-related warnings
- Unexpected access patterns to the extensive-vc-addon plugin directories
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block directory traversal patterns in request parameters
- Monitor web server access logs for requests containing path traversal sequences targeting the extensive-vc-addon plugin
- Implement file integrity monitoring on critical WordPress files and system configuration files
- Configure intrusion detection systems to alert on LFI attack signatures
Monitoring Recommendations
- Enable verbose logging for the WordPress installation and monitor for unusual file access patterns
- Set up alerts for any requests to the plugin endpoints containing encoded traversal sequences
- Monitor for unusual server resource usage that might indicate successful exploitation
- Review web server error logs regularly for file inclusion failures or permission denied errors
How to Mitigate CVE-2025-60087
Immediate Actions Required
- Disable or deactivate the Extensive VC Addons plugin (extensive-vc-addon) until a patched version is available
- Implement Web Application Firewall rules to block requests containing directory traversal patterns
- Review server access logs for any indicators of past exploitation attempts
- Restrict file system permissions to limit readable files if exploitation is suspected
Patch Information
Site administrators should monitor the Patchstack Vulnerability Report for updated information on patches. Upgrade to a patched version of the plugin immediately when available. All versions through 1.9.1 are confirmed vulnerable.
Workarounds
- Temporarily disable the Extensive VC Addons plugin if it's not critical to site functionality
- Implement strict WAF rules to filter path traversal characters and sequences from all incoming requests
- Use open_basedir PHP configuration to restrict file access to the WordPress directory
- Apply principle of least privilege to web server user file system permissions
# PHP configuration to restrict file inclusion scope
# Add to php.ini or .htaccess
open_basedir = /var/www/html/wordpress/
# Apache mod_security rule example to block LFI attempts
SecRule REQUEST_URI|ARGS|REQUEST_BODY "@contains ../" \
"id:1001,phase:2,deny,status:403,msg:'Directory traversal attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
