CVE-2025-52715 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the RadiusTheme Classified Listing product, versions up to and including 4.2.0. The flaw allows for PHP Local File Inclusion (LFI), a type of vulnerability where an attacker can manipulate the file path input to include arbitrary files from the local filesystem into the PHP execution context. This can lead to remote code execution if an attacker can control the contents of the included files or escalate privileges by reading sensitive files such as configuration files, password stores, or logs. The CVSS v3.1 base score of 7.5 reflects a high severity, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability arises from insufficient validation or sanitization of the filename parameter used in include or require statements, enabling attackers to specify unintended files. Although no known exploits are reported in the wild yet, the potential for exploitation is significant given the nature of PHP file inclusion vulnerabilities. RadiusTheme Classified Listing is a WordPress theme/plugin product commonly used for classified ads websites, which may be deployed by various organizations to manage listings and user-generated content. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. The vulnerability does not require user interaction, and only low-level privileges are needed, which broadens the attack surface, especially if the application is exposed to the internet or accessible by multiple users.

For European organizations using RadiusTheme Classified Listing, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized disclosure of sensitive data, including user information, credentials, or internal configuration files, severely impacting confidentiality. Integrity could be compromised by injecting malicious code or altering application behavior, potentially leading to website defacement, data manipulation, or pivoting to other internal systems. Availability may also be affected if attackers execute denial-of-service attacks or disrupt normal operations. Given that classified listing platforms often handle user-generated content and personal data, the breach could result in regulatory non-compliance under GDPR, leading to legal and financial repercussions. Additionally, organizations in sectors such as real estate, automotive sales, or local marketplaces that rely on such themes may face reputational damage and loss of customer trust. The high attack complexity somewhat limits exploitation to attackers with some technical skill, but the low privilege requirement and no need for user interaction mean that once a foothold is gained, lateral movement or further exploitation is feasible. The absence of known exploits currently provides a window for proactive defense, but the public disclosure increases the risk of future exploitation attempts.

1. Immediate mitigation should include restricting access to the vulnerable application components by implementing web application firewalls (WAFs) with rules to detect and block suspicious include/require parameter manipulations. 2. Employ strict input validation and sanitization on all user-supplied parameters, especially those used in file inclusion functions, to whitelist allowable filenames and reject any input containing directory traversal sequences or remote URLs. 3. Isolate the web application environment using containerization or sandboxing to limit the impact of potential exploitation. 4. Monitor logs for unusual file inclusion attempts or errors related to file paths, and set up alerts for anomalous activities. 5. If possible, temporarily disable or restrict the Classified Listing plugin/theme until a vendor patch is released. 6. Conduct a thorough code review of any customizations to the theme/plugin to identify and remediate unsafe file inclusion patterns. 7. Keep all PHP environments and dependencies updated to the latest secure versions. 8. Prepare incident response plans specifically addressing web application compromises involving file inclusion vulnerabilities. 9. Engage with RadiusTheme support or community channels to obtain patches or recommended fixes as soon as they become available.