CVE-2025-67521 identifies a Remote File Inclusion (RFI) vulnerability in the Select-Themes Select Core PHP component, specifically versions prior to 2.6. The vulnerability stems from improper validation or control of filenames passed to PHP's include or require statements. This flaw allows an attacker to specify a remote file URL that the PHP interpreter will include and execute, effectively enabling remote code execution on the server. RFI vulnerabilities are particularly dangerous because they can lead to full system compromise, data theft, defacement, or pivoting within the network. The vulnerability affects web applications using the Select Core theme, which is a PHP-based theme framework commonly used in content management systems or custom PHP sites. Although no public exploits are currently reported, the vulnerability is published and unpatched, increasing the risk of exploitation. The lack of a CVSS score indicates that the vulnerability is newly disclosed and pending further analysis. The vulnerability requires no authentication and does not depend on user interaction, making it easier for attackers to exploit remotely. The absence of patch links suggests that developers or vendors have yet to release a fix, emphasizing the need for immediate mitigation steps. This vulnerability highlights the critical importance of sanitizing and validating all user inputs that influence file inclusion paths and configuring PHP settings to disable remote file inclusion (allow_url_include=Off).

For European organizations, this vulnerability poses a significant risk to web servers running PHP applications with the Select Core theme. Exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands, steal sensitive data, modify website content, or deploy malware. This can result in data breaches, service disruptions, reputational damage, and regulatory non-compliance, especially under GDPR. Organizations relying on PHP-based CMS platforms or custom web applications that incorporate Select Core themes are particularly vulnerable. The impact is amplified for public-facing websites and e-commerce platforms, where customer data and transaction integrity are critical. Additionally, compromised servers can be used as launchpads for further attacks within corporate networks or for hosting phishing and malware distribution sites. The absence of known exploits currently provides a window for proactive defense, but the published vulnerability status demands urgent attention to prevent future exploitation. The impact on availability can also be severe if attackers deploy ransomware or conduct denial-of-service attacks post-compromise.

1. Immediately audit all PHP applications using the Select Core theme to identify vulnerable versions and instances of dynamic include/require statements. 2. Implement strict input validation and sanitization to ensure that filenames used in include/require statements cannot be manipulated to include remote files. 3. Disable remote file inclusion in PHP configuration by setting 'allow_url_include=Off' and ensure 'allow_url_fopen' is disabled if not required. 4. Restrict web server permissions to limit the ability of PHP processes to write or execute unauthorized files. 5. Monitor web server logs for suspicious requests attempting to exploit file inclusion vulnerabilities, such as URLs containing unexpected parameters or remote file paths. 6. Employ Web Application Firewalls (WAFs) with rules targeting RFI attack patterns to block malicious requests. 7. Once available, promptly apply official patches or updates from Select-Themes for the Select Core product. 8. Consider isolating vulnerable web applications in segmented network zones to limit lateral movement in case of compromise. 9. Conduct regular security code reviews and penetration testing focused on file inclusion and input validation flaws. 10. Educate development teams on secure coding practices related to file handling in PHP.