CVE-2025-64360 is a vulnerability classified as PHP Local File Inclusion (LFI) found in the StylemixThemes Consulting Elementor Widgets WordPress plugin, versions up to and including 1.4.2. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary local files on the server. This can lead to unauthorized disclosure of sensitive information such as configuration files, source code, or credentials stored on the server. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and the potential confidentiality impact. The vulnerability does not affect integrity or availability directly but can be a stepping stone for further attacks. No public exploits have been reported yet, but the flaw’s nature makes it a likely target for attackers once weaponized. The Consulting Elementor Widgets plugin is used primarily in WordPress sites focused on consulting and business services, which may contain sensitive client data. The vulnerability was published on October 31, 2025, and no official patches or mitigation links are currently provided by the vendor, requiring organizations to implement interim controls.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data hosted on WordPress sites using the affected plugin. Disclosure of configuration files or credentials could lead to further compromise of web servers or internal networks. Consulting firms and business service providers, which often handle personal and financial data, are particularly at risk. The ease of exploitation without authentication means attackers can scan and target vulnerable sites en masse, increasing the likelihood of widespread data leakage. This could result in regulatory non-compliance under GDPR due to unauthorized access to personal data, leading to legal and financial repercussions. Additionally, reputational damage from data breaches could impact client trust and business continuity. The lack of known exploits currently provides a small window for mitigation before active exploitation begins.

1. Immediately audit all WordPress installations for the presence of the Consulting Elementor Widgets plugin and identify versions at or below 1.4.2. 2. Apply vendor patches as soon as they become available; monitor StylemixThemes announcements and trusted vulnerability databases. 3. In the absence of patches, implement strict input validation and sanitization on any parameters controlling file inclusion, restricting to a whitelist of allowed files or directories. 4. Employ web application firewalls (WAFs) with rules specifically designed to detect and block LFI attempts, including suspicious include/require patterns and directory traversal sequences. 5. Disable PHP functions like include(), require(), or allow_url_include if not needed, or use PHP configuration directives to restrict file inclusion paths (e.g., open_basedir). 6. Regularly monitor web server logs for unusual access patterns indicative of LFI exploitation attempts. 7. Conduct security awareness training for web administrators to recognize and respond to such vulnerabilities. 8. Consider isolating WordPress environments and limiting permissions of web server processes to minimize impact if exploitation occurs.