CVE-2025-31633 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements in PHP programs. This specific vulnerability affects the 'gavias Kiamo - Responsive Business Service' WordPress theme, versions up to and including 1.3.3. The flaw allows for PHP Local File Inclusion (LFI), which occurs when an attacker can manipulate the filename parameter in an include or require statement to load unintended files from the server. Although the description mentions PHP Remote File Inclusion (RFI), the actual issue is LFI, which can still be leveraged to read sensitive files, execute arbitrary code if combined with other vulnerabilities, or escalate attacks on the server hosting the WordPress site. The vulnerability has a CVSS 3.1 score of 8.1, indicating a high impact on confidentiality, integrity, and availability, with no privileges or user interaction required, but with a higher attack complexity. The vulnerability is network exploitable and can lead to full compromise of the affected web server. No known exploits are currently reported in the wild, and no patches have been linked yet. The root cause is insufficient validation or sanitization of user-controlled input used in PHP include/require statements, allowing attackers to specify local files to be included and executed by the PHP interpreter.

For European organizations using the gavias Kiamo WordPress theme, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive data such as configuration files, credentials, or business information stored on the server. It could also enable attackers to execute arbitrary code, potentially leading to full server compromise, defacement of websites, or use of the server as a pivot point for further attacks within the organization's network. Given the theme's use in business service websites, the impact could extend to loss of customer trust, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and operational disruption. The high CVSS score reflects the severity of these impacts. Since WordPress is widely used across Europe, and business service themes are common, the threat is relevant to many organizations, especially SMEs and enterprises relying on this theme for their online presence.

Organizations should immediately audit their WordPress installations to identify if the gavias Kiamo theme version 1.3.3 or earlier is in use. Until an official patch is released, mitigation can include disabling or restricting access to vulnerable PHP files via web server configuration (e.g., using .htaccess rules to block direct access), implementing Web Application Firewall (WAF) rules to detect and block suspicious include/require parameter manipulations, and employing strict input validation and sanitization at the application level if customization is possible. Additionally, isolating the WordPress environment using containerization or sandboxing can limit the impact of exploitation. Monitoring logs for unusual file inclusion attempts and scanning for indicators of compromise should be prioritized. Organizations should subscribe to vendor advisories and apply patches promptly once available. Finally, consider migrating to alternative themes with better security track records if timely patches are not forthcoming.