CVE-2025-58892 is a Local File Inclusion (LFI) vulnerability found in the AncoraThemes Tourimo WordPress theme, versions up to and including 1.2.3. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the filename input, causing the application to include arbitrary files from the server's filesystem. While the description mentions 'PHP Remote File Inclusion,' the actual issue is Local File Inclusion, meaning remote files cannot be included directly, but local files can be accessed. Exploiting this vulnerability can lead to disclosure of sensitive files such as configuration files, password files, or application source code, which may contain credentials or other secrets. In some configurations, it may also lead to remote code execution if an attacker can upload malicious files or leverage other chained vulnerabilities. The vulnerability affects the Tourimo theme, which is used primarily in travel and tourism websites built on WordPress. No patches or fixes are currently linked, and no known exploits are reported in the wild. The vulnerability was reserved in September 2025 and published in December 2025, indicating recent discovery. The lack of a CVSS score requires an independent severity assessment based on the potential impact and exploitability.

For European organizations, especially those in the travel and tourism sector using the Tourimo theme, this vulnerability poses a significant risk. Exploitation can lead to unauthorized disclosure of sensitive information such as database credentials, user data, or internal configuration files, compromising confidentiality. If combined with other vulnerabilities or misconfigurations, it could lead to remote code execution, threatening system integrity and availability. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and potential financial losses from service disruption or remediation costs. Since many European tourism businesses rely on WordPress themes like Tourimo, the attack surface is considerable. The absence of authentication requirements and user interaction for exploitation increases the risk profile. Organizations may face targeted attacks aiming to extract customer data or disrupt services, especially in countries with large tourism industries.

Organizations should immediately audit their WordPress installations to identify if the Tourimo theme version 1.2.3 or earlier is in use. Until an official patch is released, administrators should consider disabling or removing the vulnerable theme. Implement strict input validation and sanitization on any user-supplied parameters that influence file inclusion. Employ web application firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities, such as suspicious file path traversal patterns. Restrict PHP include paths using configuration directives (e.g., open_basedir) to limit accessible directories. Regularly monitor logs for unusual file access patterns. Backup website data and configurations to enable quick recovery. Engage with AncoraThemes or trusted security vendors for updates or patches. Additionally, consider isolating the web server environment to minimize the impact of potential exploitation. Educate development and IT teams about secure coding practices to prevent similar vulnerabilities.