CVE-2025-30635 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP applications. Specifically, this vulnerability affects ThemeAtelier's IDonatePro product, versions up to 2.1.9. The flaw allows an attacker to perform PHP Local File Inclusion (LFI), a type of attack where the application improperly handles user-supplied input for file inclusion functions. This can lead to arbitrary code execution, disclosure of sensitive files, or full system compromise. The vulnerability arises because the application does not sufficiently validate or sanitize the filename parameter used in include or require statements, enabling an attacker to manipulate the path to include unintended files from the local filesystem. Although the description mentions 'PHP Remote File Inclusion' in the title, the detailed description clarifies that the actual issue is Local File Inclusion. The CVSS v3.1 score is 8.1, indicating a high severity with network attack vector, high impact on confidentiality, integrity, and availability, no privileges required, and no user interaction needed. No known exploits are currently reported in the wild, and no patches are linked yet, suggesting that the vulnerability is newly disclosed and may be targeted soon. The vulnerability can be exploited remotely by sending crafted requests to the vulnerable PHP application, potentially allowing attackers to execute arbitrary PHP code or read sensitive files, leading to full compromise of the web server and possibly lateral movement within the network.

For European organizations using ThemeAtelier's IDonatePro, this vulnerability poses a significant risk. Given the high CVSS score and the nature of the flaw, attackers could gain unauthorized access to sensitive donor information, financial data, or internal systems, leading to data breaches, reputational damage, and regulatory non-compliance under GDPR. The ability to execute arbitrary code or read sensitive files could also facilitate ransomware deployment or persistent backdoors. Non-profit organizations and charities, which are common users of donation management software like IDonatePro, may be particularly vulnerable due to potentially limited cybersecurity resources. The impact extends beyond data loss to operational disruption and potential legal consequences. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale, increasing the risk of widespread attacks targeting European entities relying on this software.

European organizations should immediately audit their use of ThemeAtelier IDonatePro to determine if they are running affected versions (up to 2.1.9). Until an official patch is released, organizations should implement strict input validation and sanitization on all parameters that influence file inclusion paths, ideally by applying web application firewall (WAF) rules to detect and block suspicious requests attempting to exploit LFI. Disabling PHP functions such as include(), require(), include_once(), and require_once() from processing user-controlled input can reduce risk. Additionally, running the application with the least privileges and isolating it in a container or sandbox environment can limit potential damage. Monitoring logs for unusual file access patterns or error messages related to file inclusion attempts is critical for early detection. Organizations should also prepare for rapid patch deployment once ThemeAtelier releases an official fix and consider engaging with cybersecurity vendors for threat intelligence updates regarding exploitation attempts.