CVE-2025-58973 is a high-severity vulnerability classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the Easy Elementor Addons plugin developed by hashthemes, up to version 2.2.8. The flaw allows an attacker to perform a PHP Local File Inclusion (LFI) attack by manipulating the filename parameter that is used in PHP's include or require functions. This can lead to the inclusion and execution of arbitrary files on the server, potentially allowing an attacker to read sensitive files, execute arbitrary PHP code, or escalate privileges. The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network (AV:N), but requires a higher attack complexity (AC:H) and low privileges (PR:L) without user interaction (UI:N). The impact affects confidentiality, integrity, and availability at a high level. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because it allows attackers to leverage the PHP include mechanism to execute arbitrary code or access sensitive files, which can compromise the entire web server hosting the vulnerable plugin. Since Easy Elementor Addons is a WordPress plugin used to extend Elementor page builder functionality, websites using this plugin are at risk, especially if they have not updated or mitigated the vulnerability. The lack of a patch at the time of publication increases the urgency for mitigation.

For European organizations, this vulnerability poses a substantial risk, particularly for those relying on WordPress websites enhanced with Easy Elementor Addons. Successful exploitation could lead to unauthorized disclosure of sensitive data, website defacement, or full server compromise. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance, especially under GDPR, which mandates protection of personal data. Organizations in sectors such as e-commerce, government, healthcare, and finance that use WordPress extensively are at heightened risk. The ability to remotely execute code without user interaction and with low privileges means attackers can automate exploitation, increasing the threat surface. Additionally, compromised websites can be used as a pivot point for lateral movement within corporate networks or to launch further attacks such as phishing or malware distribution. The high attack complexity somewhat limits exploitation to skilled attackers who can identify vulnerable installations, but the widespread use of WordPress and plugins like Easy Elementor Addons means the potential impact is broad.

Given the absence of an official patch at the time of this report, European organizations should take immediate proactive steps. First, conduct an inventory to identify all WordPress instances using Easy Elementor Addons and verify the plugin version. If possible, temporarily disable or remove the plugin until a patch is available. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities, such as those containing directory traversal sequences or unexpected parameters in include statements. Restrict file permissions on the web server to limit access to sensitive files and prevent unauthorized file inclusion. Employ PHP configuration hardening, such as disabling allow_url_include and restricting open_basedir to limit file inclusion scope. Monitor web server logs for unusual access patterns or errors indicative of exploitation attempts. Educate development and security teams about the risks of insecure file inclusion and encourage secure coding practices. Once a patch is released, prioritize immediate testing and deployment. Additionally, consider deploying runtime application self-protection (RASP) tools that can detect and block malicious code execution in real time.