CVE-2025-52716 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Acato WP REST Cache plugin for WordPress. The flaw allows for PHP Local File Inclusion (LFI), which means an attacker can manipulate the filename parameter to include arbitrary files from the local filesystem. This can lead to the execution of malicious code, disclosure of sensitive information, or further exploitation of the affected system. The vulnerability is present in all versions of WP REST Cache up to and including version 2025.1.0. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates that the attack can be performed remotely over the network without privileges but requires user interaction, and the attack complexity is high. The impact on confidentiality, integrity, and availability is high, meaning successful exploitation can lead to full compromise of the affected system. No public exploits are currently known in the wild, and no patches have been linked yet. The vulnerability arises because the plugin does not properly sanitize or validate the input controlling the filename in include/require statements, allowing attackers to specify unintended files to be included and executed by the PHP interpreter.

For European organizations, this vulnerability poses a significant risk, especially those using WordPress sites with the Acato WP REST Cache plugin installed. Exploitation could lead to unauthorized access to sensitive data, website defacement, or complete server compromise. Given the high confidentiality, integrity, and availability impact, attackers could steal personal data protected under GDPR, causing regulatory and reputational damage. The requirement for user interaction (likely via crafted URLs or social engineering) means phishing or targeted attacks could be vectors. Organizations relying on WordPress for e-commerce, government portals, or critical infrastructure websites are particularly vulnerable. The lack of a patch at the time of publication increases the window of exposure. Additionally, the high attack complexity may limit opportunistic attacks but does not preclude targeted campaigns against high-value European targets.

Organizations should immediately audit their WordPress installations to identify the presence of the Acato WP REST Cache plugin. If found, consider disabling or uninstalling the plugin until a vendor patch is available. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit file inclusion vectors, such as those manipulating include parameters or unusual URL patterns. Implement strict input validation and sanitization on all user-supplied data, especially parameters that influence file paths. Monitor web server and application logs for anomalous access patterns or errors related to file inclusion attempts. Educate users and administrators about the risks of interacting with suspicious links to reduce the likelihood of user interaction exploitation. Finally, maintain an active vulnerability management process to apply patches promptly once released by the vendor.