CVE-2025-60060 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP programs, specifically affecting the axiomthemes Pubzinne theme up to version 1.0.12. This vulnerability allows for Remote File Inclusion (RFI) or Local File Inclusion (LFI), where an attacker can manipulate the filename parameter used in PHP's include or require statements to load arbitrary files. This can lead to execution of malicious code, disclosure of sensitive files, or full compromise of the web server hosting the vulnerable theme. The root cause is insufficient validation or sanitization of user-controlled input that determines which files are included. Although no CVSS score is assigned yet and no exploits are reported in the wild, the nature of RFI vulnerabilities typically allows unauthenticated attackers to execute arbitrary PHP code remotely, making it a critical risk. The vulnerability affects all versions of Pubzinne up to 1.0.12, and since Pubzinne is a WordPress theme developed by axiomthemes, any WordPress site using this theme is potentially vulnerable. The vulnerability was reserved in September 2025 and published in December 2025, indicating recent discovery. The lack of available patches at the time of reporting means organizations must rely on temporary mitigations such as disabling remote file inclusion in PHP configurations, restricting file inclusion paths, or applying input validation. Given the widespread use of PHP and WordPress in Europe, this vulnerability poses a significant threat to websites using this theme, especially those exposed to the internet without additional protections.

The impact of CVE-2025-60060 on European organizations can be severe. Successful exploitation allows attackers to execute arbitrary code on the web server, potentially leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Confidentiality is at risk due to possible disclosure of sensitive files. Integrity can be compromised by injecting malicious scripts or altering website content. Availability may be affected if attackers disrupt services or deploy ransomware. Organizations relying on axiomthemes Pubzinne for their public-facing websites, especially in sectors like e-commerce, government, or media, face reputational damage and regulatory penalties under GDPR if personal data is exposed. The ease of exploitation without authentication increases the threat level. Since no known exploits are currently in the wild, proactive mitigation is critical to prevent future attacks. The vulnerability also poses risks to hosting providers and managed service providers supporting affected clients in Europe.

1. Immediately audit all WordPress installations for the use of the axiomthemes Pubzinne theme and identify versions <= 1.0.12. 2. Apply vendor patches as soon as they are released; monitor axiomthemes and WordPress security advisories closely. 3. In the absence of patches, disable PHP's allow_url_include directive to prevent remote file inclusion. 4. Implement strict input validation and sanitization on any parameters that influence file inclusion paths, using whitelisting approaches. 5. Restrict PHP include paths to trusted directories only, using open_basedir settings. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts. 7. Regularly update PHP and WordPress core to benefit from security improvements. 8. Conduct security awareness training for developers and administrators on secure coding practices related to file inclusion. 9. Monitor logs for unusual access patterns or errors related to file inclusion. 10. Consider isolating vulnerable applications in segmented network zones to limit lateral movement if compromised.