CVE-2025-60066 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP programs, specifically impacting the axiomthemes Katelyn WordPress theme versions up to and including 1.0.10. This vulnerability enables Remote File Inclusion (RFI) or Local File Inclusion (LFI) attacks by allowing an attacker to manipulate the filename parameter used in PHP's include or require statements without proper validation or sanitization. This flaw can be exploited by crafting malicious requests that cause the server to include and execute arbitrary remote or local files. The consequence of successful exploitation includes arbitrary code execution, which can lead to full site takeover, data leakage, defacement, or pivoting to internal networks. Although no public exploits are currently known, the vulnerability is publicly disclosed and unpatched, increasing the risk of future exploitation. The vulnerability affects WordPress sites using the Katelyn theme, which is popular among bloggers and small businesses. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics. The vulnerability does not require authentication, and exploitation can be performed remotely via HTTP requests, increasing its risk profile. The absence of patches at the time of disclosure means organizations must implement interim mitigations and monitor for updates.

For European organizations, the impact of CVE-2025-60066 can be significant, especially for those relying on WordPress sites with the Katelyn theme for business operations, communications, or e-commerce. Successful exploitation could lead to unauthorized code execution, allowing attackers to deface websites, steal sensitive customer data, deploy malware, or use compromised servers as a foothold for further attacks within corporate networks. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. Given the widespread use of WordPress in Europe and the popularity of themes like Katelyn among SMEs and content creators, the attack surface is considerable. Additionally, sectors such as media, retail, and professional services that rely heavily on web presence are at elevated risk. The vulnerability's remote exploitation capability without authentication means attackers can target sites en masse, increasing the likelihood of widespread impact if left unmitigated.

1. Immediate action should be to inventory all WordPress installations within the organization and identify instances using the Katelyn theme, especially versions up to 1.0.10. 2. Monitor official axiomthemes channels and Patchstack for the release of security patches and apply them promptly once available. 3. Until patches are released, implement input validation and sanitization on any parameters that influence file inclusion paths in the theme's PHP code, restricting them to known safe values or whitelisted directories. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious requests attempting to manipulate include/require parameters. 5. Restrict PHP's allow_url_include directive to 'Off' in php.ini to prevent remote file inclusion if not already disabled. 6. Limit file system permissions for the web server user to prevent unauthorized file access or modifications. 7. Conduct regular vulnerability scans and penetration tests focusing on web application components. 8. Educate web administrators on the risks of using outdated themes and the importance of timely updates. 9. Consider temporary removal or disabling of the Katelyn theme if immediate patching is not feasible and the site functionality allows. 10. Monitor logs for unusual file inclusion attempts or errors indicative of exploitation attempts.