CVE-2025-31912 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the 'gavias Enzio - Responsive Business WordPress Theme' versions up to 1.1.8. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter that is used in PHP's include or require functions. This can lead to the inclusion and execution of arbitrary files on the server, potentially resulting in full compromise of the web application and underlying system. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high severity, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network without any privileges or user interaction, but requires high attack complexity. Successful exploitation can lead to complete loss of confidentiality, integrity, and availability of the affected system. Although no known exploits are currently reported in the wild, the nature of the vulnerability makes it a critical concern for websites using this theme. The absence of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation. The vulnerability arises from insufficient validation or sanitization of user-controlled input used in file inclusion statements, allowing attackers to traverse directories or specify arbitrary files, potentially exposing sensitive data or enabling remote code execution.

For European organizations, this vulnerability poses significant risks, especially for businesses relying on WordPress sites with the Enzio theme for their online presence. Exploitation can lead to unauthorized disclosure of sensitive data, defacement of websites, injection of malicious code, or complete takeover of web servers. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance under GDPR due to data breaches. Given the widespread use of WordPress across Europe, organizations in sectors such as e-commerce, professional services, and public administration that use this theme are particularly vulnerable. The high severity and remote exploitability without authentication increase the threat level. Additionally, the lack of a patch means organizations must rely on immediate mitigations to prevent exploitation. Attackers could leverage this vulnerability to pivot into internal networks, escalating the impact beyond the web server itself. The potential for service disruption and data compromise could have cascading effects on European businesses’ digital trust and operational continuity.

Organizations should immediately audit their WordPress installations to identify the use of the gavias Enzio theme, particularly versions up to 1.1.8. Until an official patch is released, the following specific mitigations are recommended: 1) Disable or restrict the use of dynamic include or require statements in the theme’s PHP files by applying code-level fixes or using web application firewalls (WAFs) to block suspicious requests containing directory traversal patterns or unexpected parameters. 2) Employ strict input validation and sanitization on any parameters that influence file inclusion paths, ideally restricting to a whitelist of allowed files. 3) Isolate the web server environment using containerization or sandboxing to limit the impact of potential exploitation. 4) Monitor web server logs for anomalous requests indicative of LFI attempts, such as those containing '../' sequences or unusual file extensions. 5) Implement least privilege principles for the web server user to minimize file system access. 6) Regularly back up website data and configurations to enable rapid recovery. 7) Engage with the theme vendor or community to track patch releases and apply updates promptly once available. 8) Consider temporarily switching to alternative themes or disabling vulnerable features if feasible.