CVE-2025-60064 is a Remote File Inclusion (RFI) vulnerability found in the axiomthemes Renewal WordPress theme versions up to 1.2.2. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements. Specifically, the theme fails to sanitize or restrict user-supplied input that determines which files are included during execution. This allows an attacker to craft malicious requests that specify a remote URL or local file path, causing the server to include and execute arbitrary PHP code from an external source or local file. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), such as visiting a maliciously crafted URL. The CVSS v3.1 score of 8.1 reflects high impact on confidentiality and integrity, with no impact on availability. Successful exploitation can lead to full compromise of the affected website, including data theft, defacement, or pivoting to internal networks. No patches or exploit code are currently publicly available, but the issue is publicly disclosed and should be considered critical for affected users. The vulnerability is categorized under improper control of filename for include/require statements, a common PHP security flaw that can be mitigated by strict input validation and use of secure coding practices. The affected product, Renewal by axiomthemes, is a WordPress theme used primarily for business and e-commerce websites, increasing the attractiveness of targets. The vulnerability was reserved in September 2025 and published in December 2025, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a significant risk to websites running the Renewal theme, especially those handling sensitive customer data or financial transactions. Exploitation can lead to unauthorized disclosure of confidential information, including personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Integrity of website content can be compromised, enabling attackers to deface sites or inject malicious code such as web shells or malware, potentially affecting visitors and customers. The lack of availability impact means websites remain operational but compromised, making detection harder. E-commerce platforms and service providers using this theme are at heightened risk of fraud and business disruption. Additionally, attackers could leverage compromised sites as footholds for lateral movement within corporate networks. The vulnerability's ease of exploitation without authentication increases the threat level, necessitating urgent remediation to protect European digital assets and comply with data protection regulations.

1. Immediately monitor for theme updates from axiomthemes and apply official patches once available to fix the vulnerability. 2. Until patches are released, implement Web Application Firewall (WAF) rules to detect and block suspicious requests attempting to manipulate include parameters, such as those containing remote URLs or directory traversal sequences. 3. Conduct a thorough audit of all web server and PHP configurations to disable allow_url_include and restrict include paths to trusted directories only. 4. Review and sanitize all user inputs that influence file inclusion logic within the theme or custom code. 5. Employ runtime application self-protection (RASP) tools to detect and prevent unauthorized code execution. 6. Regularly scan websites for signs of compromise, including unexpected files or code injections. 7. Educate web administrators on the risks of RFI vulnerabilities and best practices for secure theme management. 8. Consider isolating critical web applications in segmented network zones to limit potential lateral movement if compromised. 9. Maintain regular backups of website data and configurations to enable rapid recovery if exploitation occurs.