CVE-2025-60087
Published: 20 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-60087 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the Extensive VC Addons for WPBakery Page Builder plugin (extensive-vc-addon) developed by Nenad Obradovic. This flaw impacts all versions from n/a through 1.9.1. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.
Remote, unauthenticated attackers can exploit this vulnerability over the network without requiring user interaction, though exploitation demands high attack complexity. Successful attacks enable high-impact compromise of confidentiality, integrity, and availability, allowing inclusion and potential execution of local PHP files on the target server.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/extensive-vc-addon/vulnerability/wordpress-extensive-vc-addons-for-wpbakery-page-builder-plugin-1-9-1-local-file-inclusion-vulnerability?_s_id=cve details the vulnerability in this WordPress plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-60087 is a Local File Inclusion vulnerability in a public-facing WordPress plugin, directly enabling T1190 (Exploit Public-Facing Application) for unauthenticated remote exploitation leading to unauthorized local file access and potential code execution.