CVE-2025-58889 identifies a critical vulnerability in the axiomthemes Towny WordPress theme, specifically versions up to 1.16, involving improper control of filenames used in PHP include or require statements. This vulnerability is classified as a PHP Local File Inclusion (LFI) flaw, where the application fails to properly validate or sanitize user-supplied input that determines which files are included during runtime. As a result, an attacker can manipulate the filename parameter to include arbitrary files from the server's filesystem. This can lead to disclosure of sensitive information such as configuration files, source code, or credentials stored on the server. While the vulnerability does not directly allow remote code execution, the attacker may leverage disclosed information to further compromise the system or escalate privileges. The CVSS 3.1 base score of 8.2 reflects a high severity, with vector metrics indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). The vulnerability was reserved in early September 2025 and published in December 2025, with no known exploits in the wild at the time of reporting. The affected product, Towny, is a WordPress theme developed by axiomthemes, commonly used for blogs, portfolios, and business websites. The flaw arises from insecure coding practices where user input controlling file inclusion is not properly sanitized or restricted, violating secure coding standards for PHP applications. This vulnerability enables attackers to remotely access sensitive files without authentication, posing a significant risk to confidentiality and potentially aiding further attacks.

For European organizations, the primary impact of CVE-2025-58889 is the potential exposure of sensitive internal files, including configuration files, database credentials, or private data stored on web servers running the vulnerable Towny theme. This can lead to confidentiality breaches, undermining customer trust and violating data protection regulations such as GDPR. Although the vulnerability does not directly allow remote code execution, the disclosed information can facilitate subsequent attacks, including privilege escalation or lateral movement within networks. Organizations operating e-commerce, media, or corporate websites using WordPress with Towny are particularly at risk. The ease of exploitation—requiring no authentication or user interaction—means attackers can scan and target vulnerable sites en masse. This could result in widespread data leaks or targeted espionage against high-value European entities. The lack of availability impact reduces the risk of denial-of-service, but the integrity impact, while low, still allows attackers to influence application behavior indirectly. Overall, the vulnerability threatens the confidentiality and partial integrity of affected systems, with potential regulatory and reputational consequences for European businesses.

To mitigate CVE-2025-58889, European organizations should immediately inventory their WordPress installations to identify use of the Towny theme, particularly versions up to 1.16. Since no official patch links are currently available, organizations should monitor axiomthemes and trusted vulnerability databases for updates or patches. In the interim, manual mitigation includes reviewing and modifying the theme’s PHP code to enforce strict validation and sanitization of any user input used in include or require statements. This can be achieved by implementing whitelisting of allowable filenames, using fixed file paths, or employing PHP functions such as realpath() to restrict file inclusion to safe directories. Additionally, disabling remote file inclusion in PHP configuration (allow_url_include=Off) and restricting file permissions to prevent unauthorized file access can reduce risk. Web application firewalls (WAFs) should be configured to detect and block suspicious requests attempting to exploit file inclusion vectors. Regular security audits and penetration testing focused on file inclusion vulnerabilities are recommended. Finally, organizations should educate developers and administrators on secure coding practices to prevent similar vulnerabilities in custom themes or plugins.