CVE-2025-60049 identifies a remote file inclusion vulnerability in the axiomthemes Soleil WordPress theme, versions up to and including 1.17. The vulnerability stems from improper validation and control of filenames passed to PHP include or require statements. This flaw allows an attacker to supply a remote URL or local file path that the PHP interpreter will include and execute, effectively enabling arbitrary code execution on the server hosting the vulnerable theme. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly accessible to attackers scanning for vulnerable WordPress installations. Successful exploitation can lead to unauthorized disclosure of sensitive data, website defacement, installation of backdoors, or pivoting to other internal systems. The CVSS 3.1 base score of 8.2 reflects the network attack vector, low attack complexity, no privileges required, and high confidentiality impact with limited integrity impact and no availability impact. Although no public exploits have been reported yet, the nature of the vulnerability and the popularity of WordPress themes make it a prime target for attackers. The vulnerability affects all installations running Soleil theme versions up to 1.17, and no patches or updates are currently linked, indicating the need for immediate attention from site administrators.

For European organizations, this vulnerability poses a significant threat to websites and web applications using the Soleil theme, particularly those in sectors relying heavily on WordPress for e-commerce, information dissemination, or customer engagement. Exploitation could lead to unauthorized access to sensitive customer data, intellectual property theft, and disruption of online services. Given the high confidentiality impact, data breaches could result in regulatory penalties under GDPR, reputational damage, and financial losses. The ability to execute arbitrary code remotely also increases the risk of malware distribution, ransomware deployment, or use of compromised servers as part of botnets. Organizations with limited security monitoring or outdated WordPress themes are especially vulnerable. The lack of required authentication and user interaction means attackers can automate exploitation at scale, increasing the likelihood of widespread compromise if unmitigated.

European organizations should immediately audit their WordPress installations to identify the use of the Soleil theme, particularly versions up to 1.17. Until an official patch is released, administrators should consider disabling or removing the Soleil theme to eliminate exposure. Employing a web application firewall (WAF) with rules to detect and block suspicious include/require parameter manipulations can provide interim protection. Regularly updating all WordPress components, including themes and plugins, is critical once patches become available. Additionally, implementing strict input validation and sanitization for any custom code handling file inclusions can reduce risk. Monitoring web server logs for unusual requests targeting include parameters and deploying intrusion detection systems can help detect exploitation attempts early. Backup strategies should be reviewed and tested to ensure rapid recovery in case of compromise. Finally, educating site administrators about the risks of using outdated themes and the importance of timely updates is essential.