CVE-2025-64223 is a Local File Inclusion (LFI) vulnerability found in the PenciDesign PenNews WordPress theme, specifically affecting versions prior to 6.7.3. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input to include arbitrary files from the server's filesystem. By exploiting this, an attacker can read sensitive files such as configuration files, password stores, or other critical data, potentially leading to information disclosure or facilitating further attacks like remote code execution if combined with other vulnerabilities. The vulnerability does not require authentication, increasing its risk profile, and no user interaction is needed beyond sending crafted HTTP requests. Although no public exploits are currently known, the vulnerability's presence in a popular WordPress theme used widely for news and magazine websites elevates its threat level. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors. The vulnerability was publicly disclosed in December 2025, with the vendor releasing version 6.7.3 as a fix. The lack of patch links in the data suggests users must verify updates directly from the vendor. The vulnerability's exploitation could lead to significant confidentiality breaches and potential integrity compromises if attackers leverage included files to execute malicious code.

For European organizations, especially those relying on WordPress and the PenNews theme for their web presence, this vulnerability poses a considerable risk. Successful exploitation can lead to unauthorized disclosure of sensitive data such as customer information, internal documents, or credentials stored on the server. This can result in reputational damage, regulatory penalties under GDPR, and operational disruptions. Additionally, attackers might use the vulnerability as a foothold to escalate privileges or deploy malware, further compromising network integrity and availability. Media, publishing, and e-commerce sectors, which often use PenNews for content delivery, are particularly vulnerable. The ease of exploitation without authentication increases the likelihood of automated scanning and attacks, potentially leading to widespread compromise if unpatched. The impact is amplified in organizations with inadequate web application firewalls or insufficient monitoring of web traffic.

The primary mitigation is to update the PenNews theme to version 6.7.3 or later, where the vulnerability is patched. Organizations should verify the authenticity of updates by obtaining them directly from PenciDesign or trusted repositories. In addition, implement strict input validation and sanitization on any user-supplied parameters related to file inclusion. Employ web application firewalls (WAFs) configured to detect and block LFI attack patterns, such as suspicious traversal sequences or attempts to access sensitive files. Restrict PHP include paths using configuration directives (e.g., open_basedir) to limit accessible directories. Conduct thorough security audits of all plugins and themes to identify similar vulnerabilities. Regularly monitor web server logs for anomalous requests indicative of LFI attempts. Finally, maintain robust backup and incident response plans to quickly recover from potential compromises.