CVE-2025-60061 is a vulnerability classified as Remote File Inclusion (RFI) in the axiomthemes Kicker WordPress theme, affecting versions up to and including 2.2.0. The vulnerability stems from improper validation and control of the filename parameter used in PHP include or require statements. This flaw allows an attacker to supply a crafted filename that points to a remote malicious PHP file, which the server then includes and executes within its context. This can lead to remote code execution, allowing attackers to run arbitrary code on the web server, potentially compromising the entire hosting environment. The vulnerability is particularly dangerous because it does not require authentication or user interaction, making exploitation feasible through simple HTTP requests. Although no public exploits are currently known, the nature of the vulnerability and the widespread use of WordPress themes make it a significant risk. The lack of a CVSS score indicates the need for manual severity assessment. The vulnerability affects the confidentiality, integrity, and availability of affected systems, as attackers can execute arbitrary code, steal sensitive data, or disrupt service. The vulnerability was reserved in September 2025 and published in December 2025, with no patch links currently available, indicating that mitigation may require vendor updates or manual code remediation.

For European organizations, the impact of CVE-2025-60061 can be severe. Organizations running WordPress sites with the Kicker theme are at risk of remote code execution attacks, which can lead to full server compromise, data breaches, defacement, or use of the server as a pivot point for further attacks. This is particularly critical for e-commerce, government, and financial sector websites that rely on WordPress for their public presence. The vulnerability could also be exploited to deploy malware, ransomware, or conduct espionage. Given the popularity of WordPress in Europe and the presence of axiomthemes products, the risk is non-trivial. The lack of authentication requirements and ease of exploitation increase the likelihood of attacks. Additionally, compromised websites could damage organizational reputation and lead to regulatory penalties under GDPR if personal data is exposed. The threat also extends to hosting providers and managed service providers supporting affected clients, potentially amplifying the impact across multiple organizations.

1. Immediately audit all WordPress installations for the presence of the axiomthemes Kicker theme and identify versions up to 2.2.0. 2. Apply vendor patches as soon as they become available; monitor axiomthemes and WordPress security advisories closely. 3. In the absence of official patches, implement manual code review and remediation by sanitizing and validating all inputs used in include/require statements to prevent remote file paths. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts, especially those containing remote URLs or unexpected parameters. 5. Restrict PHP configuration settings such as allow_url_include=Off and allow_url_fopen=Off to prevent remote file inclusion. 6. Conduct regular security scans and penetration tests focusing on file inclusion vulnerabilities. 7. Monitor web server logs for unusual requests targeting file inclusion parameters. 8. Educate development and operations teams about secure coding practices related to file inclusion. 9. Consider isolating WordPress environments using containerization or sandboxing to limit potential damage from exploitation.