CVE-2025-58937 is a Remote File Inclusion (RFI) vulnerability found in the axiomthemes Tacticool WordPress theme, affecting versions up to 1.0.13. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements, allowing an attacker to specify a remote file URL that the server will include and execute. This can lead to arbitrary code execution on the server, compromising confidentiality and integrity of the system. The vulnerability is remotely exploitable over the network without authentication, though it requires user interaction such as visiting a maliciously crafted URL. The CVSS 3.1 score of 8.1 indicates a high severity, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H) but no impact on availability (A:N). The vulnerability affects a widely used WordPress theme, which may be deployed on numerous websites, increasing the potential attack surface. Although no public exploits are currently known, the nature of RFI vulnerabilities and their history suggest a high risk of exploitation once details become widely known. The vulnerability was reserved in September 2025 and published in December 2025, indicating recent discovery and disclosure. Lack of official patches or updates at the time of reporting increases urgency for mitigation.

For European organizations, this vulnerability poses a significant risk to websites running the Tacticool theme, potentially leading to unauthorized remote code execution, data theft, defacement, or use of compromised servers as pivot points for further attacks. Confidential customer data and internal information could be exposed or manipulated, damaging reputation and violating data protection regulations such as GDPR. The integrity of web applications and backend systems could be compromised, leading to loss of trust and operational disruptions. Given the high CVSS score and the nature of the vulnerability, attackers could leverage this flaw to implant backdoors or malware, facilitating persistent access. The impact is particularly severe for organizations relying on WordPress for customer-facing portals, e-commerce, or internal tools. Without timely mitigation, attackers could exploit this vulnerability to conduct espionage, financial fraud, or disrupt services. The lack of known exploits currently provides a window for proactive defense, but the risk of rapid weaponization is high.

European organizations should immediately audit their WordPress installations to identify use of the Tacticool theme, specifically versions up to 1.0.13. If found, they should apply any available patches or updates from axiomthemes as soon as they are released. In the absence of official patches, organizations should implement strict input validation and sanitization on any parameters that influence include or require statements in PHP code. Web application firewalls (WAFs) should be configured to detect and block suspicious requests attempting remote file inclusion, such as those containing URL schemes or suspicious file paths. Disabling allow_url_include and allow_url_fopen directives in PHP configurations can mitigate remote file inclusion risks. Regularly monitoring web server logs for anomalous requests and scanning for webshells or unauthorized files is critical. Organizations should also consider isolating WordPress environments and limiting permissions to reduce potential damage from exploitation. Finally, educating web administrators about the risks and signs of exploitation can improve detection and response.