CVE-2025-28888 is a high-severity vulnerability classified under CWE-98, which concerns improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the BZOTheme GiftXtore product up to version 1.7.4. The flaw allows for PHP Local File Inclusion (LFI), where an attacker can manipulate the filename parameter used in PHP's include or require functions to load arbitrary files from the local filesystem. This can lead to the execution of malicious code or disclosure of sensitive information. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, but it has a high attack complexity, indicating some conditions must be met for successful exploitation. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. The vulnerability can result in full compromise of the affected web application, potentially allowing attackers to execute arbitrary PHP code, read sensitive files, or disrupt service availability. No public exploits are currently known, and no patches have been linked yet, suggesting that mitigation may require vendor updates or manual code review and hardening.

For European organizations using the BZOTheme GiftXtore product, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer data, intellectual property, or internal configuration files, violating GDPR and other data protection regulations. The ability to execute arbitrary code could allow attackers to pivot within the network, deploy ransomware, or disrupt e-commerce operations, leading to financial losses and reputational damage. Given the remote exploitability without authentication, attackers can target vulnerable web servers directly from the internet. The high impact on confidentiality, integrity, and availability means organizations could face data breaches, service outages, and compliance penalties. This is particularly critical for European retailers and service providers relying on GiftXtore for online storefronts.

Organizations should immediately inventory their use of BZOTheme GiftXtore and identify affected versions up to 1.7.4. Until an official patch is released, mitigations include: implementing strict input validation and sanitization on any parameters used in include or require statements to prevent path traversal or injection; employing web application firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts; restricting PHP file inclusion paths via configuration (e.g., open_basedir directive) to limit accessible directories; disabling unnecessary PHP functions that facilitate file inclusion; and monitoring logs for unusual access patterns indicative of exploitation attempts. Additionally, organizations should engage with BZOTheme for timely patch releases and apply updates promptly once available. Conducting code audits and penetration testing focused on file inclusion vulnerabilities can further reduce risk.