CVE-2025-12851 is a Local File Inclusion vulnerability categorized under CWE-98, found in the 'My auctions allegro' WordPress plugin developed by wphocus. This vulnerability exists in all versions up to and including 3.6.32 and is exploitable via the 'controller' parameter. The flaw arises from improper control of filenames used in include or require statements, allowing an attacker to specify arbitrary files to be included and executed by the PHP interpreter. Since the vulnerability does not require authentication or user interaction, an unauthenticated attacker can remotely exploit it by crafting a specially designed HTTP request targeting the vulnerable parameter. Successful exploitation can lead to arbitrary PHP code execution on the server, enabling attackers to bypass access controls, read sensitive files, or fully compromise the web server. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector and high attack complexity. No patches or known exploits are currently documented, but the risk remains significant due to the nature of the vulnerability and the widespread use of WordPress plugins in e-commerce and auction sites.

For European organizations, this vulnerability poses a substantial risk, particularly for those operating WordPress-based auction or e-commerce platforms using the 'My auctions allegro' plugin. Exploitation could lead to unauthorized access to sensitive customer data, financial information, and internal business logic, resulting in data breaches and reputational damage. The ability to execute arbitrary code on the server could allow attackers to deploy malware, establish persistent backdoors, or disrupt service availability, impacting business continuity. Given the high adoption of WordPress in Europe and the critical nature of e-commerce infrastructure, the vulnerability could affect a broad range of organizations, from small businesses to large enterprises. Regulatory frameworks such as GDPR impose strict data protection requirements, and exploitation leading to data leakage could result in significant legal and financial penalties. Additionally, the vulnerability could be leveraged in supply chain attacks or to pivot into internal networks, increasing the overall threat landscape.

Immediate mitigation steps include updating the 'My auctions allegro' plugin to a patched version once available. If no patch exists, organizations should consider disabling or uninstalling the plugin to eliminate the attack surface. Implement strict input validation and sanitization on all user-controllable parameters, especially those used in file inclusion functions. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block attempts to exploit LFI vulnerabilities, such as suspicious file path traversal or inclusion patterns targeting the 'controller' parameter. Conduct thorough code reviews and security audits of custom plugins or themes to identify similar vulnerabilities. Employ least privilege principles for web server file permissions to limit the impact of potential exploitation. Regularly monitor logs for unusual access patterns or error messages indicative of exploitation attempts. Finally, maintain an incident response plan to quickly address any detected compromise stemming from this vulnerability.