CVE-2025-62868 is a vulnerability classified under CWE-98, indicating improper control of filenames used in PHP include or require statements within the Edge-Themes Edge CPT WordPress plugin. This vulnerability allows remote attackers to perform PHP Remote File Inclusion (RFI) or Local File Inclusion (LFI) attacks by manipulating the filename parameter that is used in include or require functions without proper validation or sanitization. The affected product, Edge CPT, versions up to 1.4, fails to restrict or validate user-supplied input that controls which files are included during execution. As a result, attackers can supply a crafted filename that points to a remote malicious PHP script or a local sensitive file, leading to arbitrary code execution or disclosure of sensitive information. The CVSS v3.1 base score of 8.1 reflects a high severity, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known, the vulnerability poses a significant risk due to the potential for full system compromise. The vulnerability was published on October 24, 2025, and no patches or fixes are currently linked, emphasizing the need for immediate attention. The vulnerability is particularly dangerous in web environments where Edge CPT is deployed, as it can be exploited remotely without authentication, allowing attackers to execute arbitrary PHP code, access sensitive files, or disrupt service availability.

For European organizations, this vulnerability presents a critical risk to web infrastructure, especially those relying on WordPress sites using the Edge CPT plugin. Successful exploitation can lead to unauthorized disclosure of sensitive data, including customer information and internal documents, undermining confidentiality. Integrity can be compromised through code injection, enabling attackers to alter website content, inject malicious scripts, or establish persistent backdoors. Availability may also be impacted if attackers disrupt services or execute denial-of-service conditions. Given the high prevalence of WordPress in Europe and the widespread use of third-party plugins, organizations in sectors such as e-commerce, government, healthcare, and finance could face severe operational and reputational damage. Additionally, breaches could trigger regulatory penalties under GDPR due to data exposure. The lack of authentication requirements and remote exploitability increase the threat surface, making it easier for attackers to target vulnerable systems across European networks.

1. Immediate action should be to monitor for official patches or updates from Edge-Themes and apply them as soon as they become available. 2. Until patches are released, restrict PHP include paths using PHP configuration directives such as open_basedir to limit file inclusion to trusted directories. 3. Employ web application firewalls (WAFs) with rules specifically designed to detect and block Remote File Inclusion and Local File Inclusion attack patterns. 4. Conduct thorough code reviews and implement input validation and sanitization for any parameters controlling file inclusion to prevent malicious input. 5. Disable or restrict the use of dynamic include/require statements where possible. 6. Regularly audit WordPress plugins and remove or replace those that are outdated or no longer maintained. 7. Monitor web server logs for suspicious requests attempting to exploit file inclusion vulnerabilities. 8. Implement network segmentation to isolate critical web servers and limit exposure. 9. Educate development and security teams about secure coding practices related to file inclusion. 10. Consider deploying runtime application self-protection (RASP) solutions to detect and block exploitation attempts in real time.