CVE-2025-28945 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the 'Valen - Sport, Fashion WooCommerce WordPress Theme' developed by snstheme, up to version 2.4. The flaw allows for PHP Local File Inclusion (LFI), which means an attacker can manipulate the filename parameter in the PHP include or require statement to include unintended files from the local filesystem. This can lead to arbitrary code execution, disclosure of sensitive information, or complete compromise of the affected web server. The vulnerability has a CVSS v3.1 base score of 8.1, indicating a high level of severity. The vector string (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates that the attack can be performed remotely over the network without requiring privileges or user interaction, but it has a high attack complexity. The impact on confidentiality, integrity, and availability is high, as successful exploitation can lead to full system compromise. No public exploits are currently known in the wild, and no patches have been linked yet. The vulnerability was reserved in March 2025 and published in June 2025. The root cause is insufficient validation or sanitization of user-controlled input used in PHP include/require statements, allowing attackers to traverse directories or specify arbitrary local files to be included and executed by the PHP interpreter. This type of vulnerability is particularly dangerous in WordPress themes because themes often have elevated privileges and direct access to the web server's PHP execution environment, making exploitation a critical risk for websites using the affected theme version.

For European organizations, especially those operating e-commerce websites using WordPress with the Valen WooCommerce theme, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of customer data, including personal and payment information, violating GDPR and other data protection regulations. The integrity of the website content and backend systems could be compromised, allowing attackers to inject malicious code, deface websites, or pivot to internal networks. Availability may also be impacted if attackers deploy ransomware or disrupt services. Given the widespread use of WooCommerce in Europe for online retail, organizations could face reputational damage, financial losses, and regulatory penalties. The high severity and remote exploitability without authentication increase the urgency for mitigation. Additionally, the lack of known public exploits suggests that attackers may develop exploits soon, increasing the risk window. Organizations relying on this theme should consider the vulnerability a critical threat to their web infrastructure and customer trust.

1. Immediate action should be to identify all instances of the Valen - Sport, Fashion WooCommerce WordPress theme version 2.4 or earlier in use within the organization’s web infrastructure. 2. Since no official patches are currently linked, organizations should monitor the vendor’s channels and trusted security advisories for updates or patches and apply them promptly once available. 3. In the interim, restrict access to the affected web applications by implementing Web Application Firewalls (WAFs) with rules designed to detect and block suspicious include/require parameter manipulations and directory traversal attempts. 4. Harden PHP configurations by disabling dangerous functions such as 'allow_url_include' and restricting file inclusion paths using 'open_basedir' directives to limit the scope of accessible files. 5. Conduct thorough code reviews and implement input validation and sanitization for any custom code that handles file inclusion. 6. Employ runtime application self-protection (RASP) solutions to detect and prevent exploitation attempts in real-time. 7. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 8. Educate development and security teams about the risks of insecure file inclusion and best practices for secure PHP coding. 9. Consider temporarily disabling or replacing the vulnerable theme with a secure alternative until a patch is available. 10. Monitor logs for unusual file access patterns or errors indicative of exploitation attempts.