CVE-2025-64360 is a vulnerability classified as PHP Remote File Inclusion (RFI) found in the StylemixThemes Consulting Elementor Widgets WordPress plugin, specifically affecting versions up to and including 1.4.2. The root cause is improper validation and control over the filename parameter used in PHP include or require statements, which allows an attacker to specify a remote file URL. When exploited, this vulnerability enables an attacker to include and execute arbitrary PHP code hosted on a remote server within the context of the vulnerable web application. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, making it highly accessible to attackers. The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This means the attack vector is network-based, with low attack complexity, no privileges or user interaction required, and the impact is primarily on confidentiality, allowing attackers to read sensitive files or execute arbitrary code remotely. The vulnerability does not directly impact integrity or availability but can lead to significant information disclosure and potential further compromise depending on the included payload. No known exploits have been reported in the wild yet, but the nature of RFI vulnerabilities historically makes them attractive targets for attackers seeking to compromise WordPress sites. The plugin is widely used in consulting and business websites built on WordPress, which often contain sensitive client data and business logic.

For European organizations, this vulnerability poses a significant risk to confidentiality of sensitive data hosted on websites using the affected plugin. Attackers can remotely execute arbitrary PHP code, potentially leading to data leakage, unauthorized access to backend systems, or pivoting to further attacks within the network. This is particularly critical for organizations handling personal data under GDPR, as a breach could result in regulatory penalties and reputational damage. The vulnerability does not directly affect system integrity or availability but can be a stepping stone for more severe attacks. Organizations relying on WordPress for customer-facing portals, consulting services, or internal knowledge bases are at heightened risk. The ease of exploitation without authentication increases the likelihood of automated scanning and exploitation attempts, especially in countries with high WordPress usage. Additionally, the lack of known patches at the time of disclosure means organizations must be vigilant in monitoring and applying updates promptly once available.

1. Monitor official StylemixThemes channels and WordPress plugin repositories for patches addressing CVE-2025-64360 and apply updates immediately upon release. 2. In the interim, restrict access to vulnerable plugin files using web server configuration rules (e.g., .htaccess) to block suspicious requests or parameters that attempt to include remote files. 3. Deploy and configure Web Application Firewalls (WAFs) with signatures or rules to detect and block Remote File Inclusion attempts targeting the plugin. 4. Conduct a thorough audit of all WordPress plugins and themes to identify and remove or replace outdated or unsupported components. 5. Harden PHP configurations by disabling allow_url_include and allow_url_fopen directives to prevent remote file inclusion at the PHP interpreter level. 6. Implement strict input validation and sanitization for any user-controllable parameters in custom code or plugins. 7. Regularly scan web applications with vulnerability scanners that can detect RFI vulnerabilities. 8. Educate web development and security teams about the risks of RFI and secure coding practices to prevent similar issues in custom plugins or themes.