CVE-2025-54750 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP applications. Specifically, this vulnerability affects the Funnel Builder by FunnelKit plugin, versions up to and including 3.11.1. The flaw allows for PHP Local File Inclusion (LFI), a type of vulnerability where an attacker can manipulate the file path used in PHP's include or require functions to load unintended files from the local server. Although the description mentions 'PHP Remote File Inclusion,' the actual impact is local file inclusion, which can still be leveraged to disclose sensitive files, execute arbitrary code, or escalate privileges depending on the server configuration and available files. The CVSS v3.1 score is 7.5, indicating a high severity, with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network, requires high attack complexity, no privileges, but does require user interaction. The vulnerability impacts confidentiality, integrity, and availability, potentially allowing attackers to read sensitive files, modify application behavior, or cause denial of service. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may rely on vendor updates or configuration changes. The vulnerability was reserved on July 28, 2025, and published on August 20, 2025, suggesting it is a recent discovery. FunnelKit Funnel Builder is a WordPress plugin used for creating sales funnels, landing pages, and marketing workflows, widely used by digital marketers and e-commerce sites. The improper validation or sanitization of input controlling the include/require filename is the root cause, allowing attackers to influence which files are included by the PHP interpreter.

For European organizations, this vulnerability poses significant risks, especially for businesses relying on WordPress and FunnelKit for their marketing and sales operations. Exploitation could lead to unauthorized disclosure of sensitive information such as configuration files, credentials, or customer data, violating GDPR and other data protection regulations. Integrity of the website content and backend logic could be compromised, enabling attackers to inject malicious code, redirect users, or manipulate sales funnels to defraud customers. Availability could also be impacted if attackers cause application crashes or denial of service. Given the high adoption of WordPress and FunnelKit in European SMEs and digital agencies, the threat surface is considerable. Organizations in regulated sectors like finance, healthcare, and e-commerce are particularly vulnerable due to the sensitivity of their data and the potential regulatory penalties. Furthermore, the requirement for user interaction (UI:R) means phishing or social engineering could be used to trigger the exploit, increasing the attack vector. The high attack complexity (AC:H) somewhat limits mass exploitation but targeted attacks remain a serious concern. The lack of known public exploits currently provides a window for proactive mitigation before widespread abuse.

1. Immediate mitigation should involve disabling or uninstalling the Funnel Builder by FunnelKit plugin until a security patch is released. 2. Monitor the vendor’s official channels for security updates or patches addressing CVE-2025-54750 and apply them promptly. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests attempting to manipulate include or require parameters, especially those containing directory traversal sequences or unexpected file extensions. 4. Harden PHP configurations by disabling allow_url_include and restricting file system access permissions to minimize the impact of any inclusion attempts. 5. Conduct thorough code reviews and input validation audits on all custom or third-party plugins to ensure proper sanitization of user-controlled inputs used in file operations. 6. Educate users and administrators about phishing and social engineering risks, since user interaction is required for exploitation. 7. Employ intrusion detection systems (IDS) and log monitoring to identify anomalous file inclusion attempts or errors indicative of exploitation attempts. 8. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 9. Consider isolating critical web application components and using least privilege principles to limit the scope of potential damage from exploitation.