CVE-2025-39490 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Mikado-Themes Backpack Traveler product, versions up to 2.7. The flaw allows an attacker to perform PHP Local File Inclusion (LFI), which can lead to the inclusion and execution of arbitrary files on the server. This occurs because the application does not properly validate or sanitize user-supplied input that controls the filename parameter in PHP include or require statements. Exploiting this vulnerability could allow an attacker to read sensitive files, execute arbitrary PHP code, or escalate privileges on the affected system. The CVSS v3.1 base score is 8.1, indicating a high severity level, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network without authentication or user interaction, but requires high attack complexity. The impact on confidentiality, integrity, and availability is high, as successful exploitation can compromise all three. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in April 2025 and published in May 2025, indicating it is a recent discovery. Given the nature of the vulnerability and the product involved, this poses a significant risk to web servers running the affected Backpack Traveler theme, which is used in PHP-based content management systems or websites.

For European organizations using Mikado-Themes Backpack Traveler, this vulnerability presents a critical risk to web applications and websites. Successful exploitation could lead to unauthorized disclosure of sensitive data, including configuration files, user data, or credentials stored on the server. Attackers could also execute arbitrary code, potentially leading to full system compromise, data tampering, or service disruption. This could result in significant operational downtime, reputational damage, and regulatory non-compliance, especially under GDPR requirements for data protection. Organizations in sectors such as tourism, travel agencies, hospitality, and e-commerce that rely on this theme for their web presence are particularly vulnerable. The high severity and remote exploitability without authentication increase the urgency for mitigation. Additionally, the lack of patches means organizations must rely on alternative protective measures until an official fix is released.

1. Immediate mitigation should include disabling or restricting the vulnerable include/require functionality in the PHP code if possible, by applying input validation and sanitization to ensure only safe, expected filenames are processed. 2. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities. 3. Restrict PHP file inclusion paths using open_basedir or similar PHP configuration directives to limit accessible directories and prevent inclusion of unauthorized files. 4. Monitor web server logs for unusual requests or errors indicative of attempted exploitation. 5. Isolate affected web applications in segmented network zones to reduce lateral movement risk. 6. Regularly back up website data and configurations to enable rapid recovery if compromise occurs. 7. Engage with Mikado-Themes or the vendor community to track patch releases and apply updates promptly once available. 8. Conduct security audits and code reviews of customizations to the Backpack Traveler theme to identify and remediate similar vulnerabilities.