CVE-2025-60199 is a Remote File Inclusion (RFI) vulnerability found in the dedalx InHype - Blog & Magazine WordPress theme, specifically affecting versions up to and including 1.5.2. The root cause is improper control over the filename parameter used in PHP include or require statements, allowing an attacker to specify a remote file URL that the server will include and execute. This flaw enables an unauthenticated attacker to execute arbitrary PHP code remotely by supplying a crafted URL parameter, leading to potential full compromise of the web server hosting the vulnerable WordPress site. The vulnerability does not require any user interaction or privileges, and can be exploited over the network (internet). The CVSS v3.1 score of 8.2 reflects the high impact on confidentiality (complete disclosure of sensitive data) and integrity (code execution), with no direct impact on availability. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and poses a significant risk due to the widespread use of WordPress themes and the ease of exploitation. The vulnerability affects the dedalx InHype theme, which is used primarily for blog and magazine style websites, making content management systems and media outlets particularly vulnerable. The lack of available patches at the time of disclosure increases the urgency for mitigation.

For European organizations, this vulnerability presents a serious risk to websites running the InHype WordPress theme. Exploitation can lead to unauthorized disclosure of sensitive information, including user data and internal configurations, as well as unauthorized code execution that could be leveraged to deploy malware, deface websites, or pivot into internal networks. Media companies, bloggers, and online publishers using this theme are especially at risk, as their websites are often public-facing and targeted by attackers seeking to exploit popular content platforms. The breach of confidentiality could result in regulatory penalties under GDPR if personal data is exposed. Additionally, the integrity compromise could damage brand reputation and trust. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, increasing the likelihood of exploitation attempts across Europe.

Organizations should immediately verify if their WordPress installations use the dedalx InHype theme version 1.5.2 or earlier. If so, they should upgrade to a patched version once available or temporarily disable the theme to prevent exploitation. In absence of an official patch, applying virtual patching via web application firewalls (WAF) to block suspicious requests containing remote file inclusion patterns is critical. Restricting PHP's allow_url_include directive to 'Off' in the server configuration can prevent remote file inclusion attacks. Additionally, implementing strict input validation and sanitization on parameters used in include/require statements is recommended. Regularly monitoring web server logs for unusual requests and scanning for indicators of compromise can help detect exploitation attempts early. Organizations should also ensure backups are current and tested to enable recovery if compromise occurs.