CVE-2025-12851 is a Local File Inclusion vulnerability classified under CWE-98, found in the 'My auctions allegro' WordPress plugin developed by wphocus. The flaw exists in all versions up to and including 3.6.32 and is triggered via the 'controller' parameter. An attacker can exploit this vulnerability without authentication by manipulating this parameter to include arbitrary files from the server. This can lead to the execution of arbitrary PHP code embedded in those files, effectively enabling remote code execution. The vulnerability arises due to improper control over the filename used in include/require statements, allowing attackers to bypass intended access controls. This can result in unauthorized data disclosure, code execution, and full compromise of the affected web server. The vulnerability is rated high severity with a CVSS 3.1 score of 8.1, reflecting network attack vector, high impact on confidentiality, integrity, and availability, and no user interaction required. Although no public exploits are currently known, the nature of the vulnerability makes it a critical risk for WordPress sites using this plugin, especially those handling auctions or e-commerce functions. The lack of available patches necessitates immediate mitigation efforts by administrators.

For European organizations, this vulnerability poses a significant threat to the confidentiality, integrity, and availability of web servers running WordPress with the vulnerable plugin. Exploitation can lead to unauthorized access to sensitive customer data, including auction details and user credentials, potentially violating GDPR and other data protection regulations. The ability to execute arbitrary PHP code can allow attackers to deploy web shells, pivot within internal networks, and disrupt business operations. E-commerce platforms and auction sites are particularly at risk due to their public exposure and transactional nature. The reputational damage and potential financial losses from data breaches or service outages could be substantial. Additionally, the vulnerability could be leveraged in broader cyber campaigns targeting European digital marketplaces, increasing the risk for organizations in countries with high e-commerce activity.

1. Immediately disable or uninstall the 'My auctions allegro' plugin until a secure patch is released. 2. Monitor official vendor channels and WordPress plugin repositories for updates or patches addressing CVE-2025-12851. 3. Implement strict input validation and sanitization on the 'controller' parameter to prevent malicious file inclusion. 4. Restrict file upload types and enforce server-side checks to prevent uploading executable PHP code disguised as images or other safe file types. 5. Use web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'controller' parameter. 6. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and their configurations. 7. Employ the principle of least privilege on web server file permissions to limit the impact of any successful exploitation. 8. Maintain comprehensive logging and monitoring to detect anomalous file inclusion attempts or code execution activities. 9. Educate site administrators about the risks of using outdated or unmaintained plugins and encourage timely updates.