CVE-2025-60051 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP programs, specifically affecting the AncoraThemes Rare Radio product up to version 1.0.15.1. This vulnerability allows an attacker to exploit a Local File Inclusion (LFI) flaw by manipulating the filename parameter used in PHP include or require statements. The vulnerability arises because the application does not properly validate or sanitize user-supplied input that determines which files are included during execution. As a result, an attacker can craft requests that cause the server to include arbitrary local files, such as configuration files, password files, or other sensitive data stored on the server. The CVSS v3.1 base score of 8.2 reflects the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (C:H) with limited impact on integrity (I:L) and no impact on availability (A:N). The flaw does not require authentication, making it remotely exploitable by unauthenticated attackers. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the potential exposure of sensitive information and possible further exploitation chains. AncoraThemes Rare Radio is a PHP-based web application, often used for media or radio streaming websites, which may be deployed by various organizations including broadcasters and content providers. The vulnerability was reserved in September 2025 and published in December 2025, indicating recent discovery and disclosure. No official patches or updates are currently linked, so users must apply mitigations or monitor for vendor updates.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive internal files, including credentials, configuration files, or proprietary data, compromising confidentiality. Media companies, broadcasters, and content providers using Rare Radio could face data breaches, reputational damage, and regulatory penalties under GDPR if personal data is exposed. The vulnerability's ease of exploitation without authentication increases the risk of automated scanning and exploitation attempts. Attackers could leverage the information gained to escalate privileges or pivot within the network. Although availability is not directly impacted, the breach of confidentiality alone is critical. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as threat actors often develop exploits rapidly after disclosure. European organizations with public-facing Rare Radio installations are particularly vulnerable to remote attacks. The impact is heightened in countries with strong data protection regulations and high media sector activity, where compliance and operational continuity are paramount.

Organizations should immediately audit their Rare Radio installations to identify affected versions (up to 1.0.15.1). Until official patches are released, implement strict input validation and sanitization on all parameters used in include/require statements to prevent arbitrary file inclusion. Employ web application firewalls (WAFs) with rules designed to detect and block LFI attack patterns targeting Rare Radio. Restrict PHP include paths using open_basedir directives to limit accessible files to only necessary directories. Disable unnecessary PHP functions such as allow_url_include and ensure allow_url_fopen is disabled to prevent remote file inclusion vectors. Monitor web server and application logs for suspicious requests containing directory traversal sequences or unusual file inclusion attempts. Conduct regular vulnerability scans and penetration tests focusing on LFI vectors. Prepare to apply vendor patches promptly once available and consider isolating Rare Radio instances in segmented network zones to limit potential lateral movement.