CVE-2025-27362 is a vulnerability classified under CWE-98, which pertains to improper control of filenames used in PHP include or require statements. Specifically, this vulnerability exists in the BZOTheme Petito PHP theme, affecting versions prior to 1.6.6. The flaw allows an attacker to perform Remote File Inclusion (RFI) by manipulating the filename parameter in include/require statements, causing the PHP interpreter to load and execute malicious code from a remote source. This can lead to arbitrary code execution on the server, enabling attackers to compromise the confidentiality, integrity, and availability of the affected system. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, although it has a high attack complexity, indicating some conditions must be met for successful exploitation. The CVSS v3.1 base score is 8.1, with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The root cause is insufficient validation or sanitization of input controlling the filename in PHP include/require statements, a common issue in PHP applications that can lead to severe security breaches.

The impact of CVE-2025-27362 is significant for organizations using the BZOTheme Petito PHP theme, especially in web environments running PHP-based content management or e-commerce systems. Successful exploitation can lead to remote code execution, allowing attackers to take full control of the affected web server. This can result in data theft, website defacement, installation of backdoors or malware, lateral movement within the network, and disruption of services. Confidential customer data and intellectual property may be exposed or altered, damaging organizational reputation and potentially leading to regulatory penalties. The vulnerability’s network accessibility and lack of required authentication increase the risk of automated or targeted attacks. Given the widespread use of PHP in web applications globally, organizations that do not promptly remediate this vulnerability face elevated risk of compromise and operational disruption.

To mitigate CVE-2025-27362, organizations should immediately upgrade the BZOTheme Petito theme to version 1.6.6 or later once available, as this will contain the official patch addressing the vulnerability. Until a patch is applied, implement strict input validation and sanitization on all parameters controlling file inclusion paths to prevent injection of remote URLs. Disable allow_url_include and allow_url_fopen directives in the PHP configuration to block remote file inclusion attempts. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious include/require requests. Conduct thorough code reviews to identify and refactor unsafe dynamic file inclusion patterns. Monitor web server logs for unusual requests targeting include parameters. Restrict file permissions and isolate web application components to limit the impact of potential exploitation. Finally, maintain regular backups and incident response plans to quickly recover from any compromise.