CVE-2025-54700 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the ThemeMove Makeaholic product, versions up to and including 1.8.4. The flaw allows an attacker to perform PHP Local File Inclusion (LFI), where the application improperly validates or sanitizes user-supplied input that determines which files are included or required by the PHP script. This can lead to an attacker including arbitrary files from the local filesystem, potentially exposing sensitive information, executing arbitrary PHP code, or escalating privileges. The CVSS v3.1 score of 8.1 reflects the high impact on confidentiality, integrity, and availability, with network attack vector, no privileges required, no user interaction needed, but with high attack complexity. The vulnerability does not currently have known exploits in the wild, and no patches have been linked yet. The issue arises because the application fails to properly restrict or validate the filename parameter used in include/require statements, allowing malicious input to influence the file path. This can be exploited remotely over the network without authentication, making it a critical risk for exposed web servers running the vulnerable Makeaholic theme. The vulnerability's impact includes potential full system compromise, data leakage, and service disruption. Given the nature of PHP LFI vulnerabilities, attackers might chain this with other vulnerabilities to achieve remote code execution or persistent access.

For European organizations using the ThemeMove Makeaholic theme, this vulnerability poses a significant risk. Many European businesses rely on PHP-based content management systems and themes for their websites, including e-commerce, corporate, and governmental portals. Exploitation could lead to unauthorized access to sensitive customer data, intellectual property, or internal systems, violating GDPR and other data protection regulations, resulting in legal and financial penalties. The ability to execute arbitrary code or disrupt services could damage organizational reputation and operational continuity. Since the vulnerability requires no authentication and can be exploited remotely, attackers can target publicly accessible web servers, increasing the risk of widespread compromise. Organizations in sectors such as finance, healthcare, and public administration are particularly vulnerable due to the sensitivity of their data and the critical nature of their services. Additionally, the high attack complexity may limit exploitation to skilled attackers, but the lack of required user interaction and privileges lowers the barrier significantly. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly after public disclosure.

European organizations should immediately audit their web assets to identify any instances of the ThemeMove Makeaholic theme, particularly versions up to 1.8.4. Since no official patches are currently linked, organizations should consider the following specific mitigations: 1) Temporarily disable or remove the vulnerable theme from production environments until a patch is available. 2) Implement strict input validation and sanitization on any parameters that influence file inclusion, employing whitelisting of allowed filenames or paths. 3) Employ web application firewalls (WAFs) with rules designed to detect and block suspicious include/require parameter manipulations indicative of LFI attempts. 4) Restrict PHP file inclusion to safe directories using PHP configuration directives such as open_basedir to limit filesystem access. 5) Monitor web server logs for unusual requests targeting include parameters or attempts to access sensitive files. 6) Harden server permissions to prevent unauthorized file access and code execution. 7) Prepare for rapid deployment of official patches once released by ThemeMove. 8) Conduct security awareness training for development and operations teams regarding secure coding practices related to file inclusion.