CVE-2025-64360 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP programs, specifically within the StylemixThemes Consulting Elementor Widgets WordPress plugin. This vulnerability allows for PHP Remote File Inclusion (RFI), where an attacker can manipulate the filename parameter used in PHP include or require statements to load arbitrary remote files. This occurs due to insufficient validation or sanitization of user-supplied input controlling the file path. The affected plugin versions are up to and including 1.4.2. Exploiting this vulnerability enables attackers to execute arbitrary PHP code on the web server, potentially leading to full site compromise, data exfiltration, or defacement. The vulnerability is particularly dangerous because it does not require authentication or user interaction, making it exploitable remotely by unauthenticated attackers. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date (October 31, 2025). However, the nature of RFI vulnerabilities historically leads to rapid exploitation once public disclosure occurs. The plugin is used in WordPress environments, which are widely deployed across many industries, including consulting and professional services. The vulnerability underscores the importance of secure coding practices in handling file inclusion and input validation.

For European organizations, this vulnerability poses a critical risk, especially for those relying on WordPress sites with the Consulting Elementor Widgets plugin installed. Successful exploitation can lead to remote code execution, allowing attackers to take full control of the affected web server. This can result in data breaches, defacement, service disruption, and use of the compromised server as a pivot point for further attacks within the network. Consulting firms and professional services websites are attractive targets due to the sensitive client data they may hold. The impact extends beyond confidentiality to integrity and availability, as attackers can modify website content or disrupt services. Given the widespread use of WordPress in Europe and the popularity of Elementor-based themes and plugins, the scope of affected systems could be significant. The lack of authentication requirement and ease of exploitation increase the urgency for mitigation. Additionally, regulatory frameworks like GDPR impose strict data protection requirements, so breaches resulting from this vulnerability could lead to legal and financial penalties.

1. Immediately identify and inventory all WordPress installations using the StylemixThemes Consulting Elementor Widgets plugin. 2. Disable or remove the vulnerable plugin version (<=1.4.2) until a security patch is released by the vendor. 3. Monitor official StylemixThemes channels and Patchstack advisories for updates and apply patches promptly once available. 4. Implement Web Application Firewalls (WAF) with rules to detect and block suspicious file inclusion attempts targeting PHP include/require parameters. 5. Conduct thorough web server log analysis to detect any signs of exploitation attempts or successful intrusions. 6. Harden PHP configurations by disabling allow_url_include and restricting file inclusion paths where possible. 7. Educate web administrators and developers on secure coding practices, especially validating and sanitizing all user inputs controlling file paths. 8. Consider deploying runtime application self-protection (RASP) solutions to detect and prevent exploitation in real-time. 9. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 10. Review and tighten access controls on web servers and hosting environments to limit the impact of potential breaches.