CVE-2025-49036 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Premium Addons for KingComposer developed by octagonwebstudio, versions up to 1.1.1. The flaw allows an attacker to perform PHP Local File Inclusion (LFI), which can lead to arbitrary code execution, data disclosure, and full compromise of the affected web application. The vulnerability arises because the application does not properly validate or sanitize user-supplied input used in PHP include or require statements, enabling an attacker to manipulate the filename parameter to include unintended files from the server. This can result in disclosure of sensitive files such as configuration files, password stores, or application source code. In some cases, it can also lead to remote code execution if the attacker can control the contents of included files or upload malicious files to the server. The CVSS v3.1 base score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, no user interaction, but high attack complexity. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be considered a significant risk for affected installations. No patches or mitigation links are currently provided by the vendor, which increases the urgency for organizations to apply compensating controls or monitor for exploitation attempts.

For European organizations using the Premium Addons for KingComposer, this vulnerability poses a critical risk to the confidentiality, integrity, and availability of their web applications and underlying systems. Successful exploitation could lead to unauthorized access to sensitive customer data, intellectual property, or internal configuration files, potentially violating GDPR and other data protection regulations. The integrity of web content and backend systems could be compromised, enabling attackers to inject malicious code, deface websites, or pivot to internal networks. Availability could also be impacted if attackers disrupt services or delete critical files. Given the widespread use of WordPress and its plugins in Europe, organizations in sectors such as e-commerce, government, education, and media that rely on KingComposer with Premium Addons are particularly vulnerable. The lack of patches and the high CVSS score indicate that attackers motivated by financial gain or espionage could target these systems, leading to reputational damage, regulatory fines, and operational disruption.

1. Immediate mitigation should include disabling or removing the Premium Addons for KingComposer plugin until a vendor patch is available. 2. Implement strict input validation and sanitization on all user-supplied parameters that influence file inclusion paths. 3. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit LFI patterns, such as directory traversal sequences or suspicious include parameters. 4. Restrict PHP include paths and disable allow_url_include and allow_url_fopen directives in the PHP configuration to prevent remote file inclusion vectors. 5. Conduct thorough code reviews and penetration testing focused on file inclusion vulnerabilities in all custom or third-party plugins. 6. Monitor web server and application logs for anomalous requests indicative of LFI exploitation attempts. 7. Maintain regular backups and ensure incident response plans are updated to handle potential breaches stemming from this vulnerability. 8. Engage with the vendor or community to track patch releases and apply updates promptly once available.