CVE-2025-67521 is a critical remote file inclusion vulnerability in the Select-Themes Select Core product, affecting versions prior to 2.6. The vulnerability stems from improper validation and control of filenames passed to PHP include or require statements, which allows an attacker to specify arbitrary files to be included and executed by the PHP interpreter. This can lead to remote code execution (RCE) without requiring authentication or user interaction. The vulnerability is classified as a Remote File Inclusion (RFI), a severe class of PHP vulnerabilities that enable attackers to execute malicious code hosted remotely or locally on the server. The CVSS v3.1 base score of 9.8 reflects the vulnerability's critical impact on confidentiality, integrity, and availability, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and unchanged scope (S:U). Exploiting this vulnerability could allow attackers to take full control of affected web servers, steal sensitive data, modify or delete content, and disrupt services. Although no public exploits are currently known, the high severity and common usage of PHP-based CMS platforms make it a significant threat. The vulnerability affects Select Core versions before 2.6, but the exact affected versions are not fully enumerated. The issue was published on December 9, 2025, by Patchstack, indicating recent discovery and disclosure. This vulnerability is particularly dangerous because PHP applications often run with web server privileges, and RFI can lead to complete server compromise. Organizations using Select Core in their web infrastructure must prioritize patching and mitigation to prevent exploitation.

For European organizations, the impact of CVE-2025-67521 is substantial. Exploitation could lead to unauthorized remote code execution, enabling attackers to gain full control over affected web servers. This compromises confidentiality by exposing sensitive data such as customer information, intellectual property, and internal communications. Integrity is at risk as attackers can modify or inject malicious content into websites or backend systems. Availability may be disrupted through defacement, data destruction, or deployment of ransomware and other malware. Given the widespread use of PHP-based CMS and themes in Europe, especially in sectors like e-commerce, government, and media, the threat could affect critical services and damage organizational reputation. Additionally, regulatory compliance risks arise under GDPR if personal data is exposed. The lack of required authentication and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Even though no known exploits are reported yet, the vulnerability's critical nature demands urgent attention to prevent potential widespread attacks targeting European digital assets.

1. Apply official patches from Select-Themes immediately once available to remediate the vulnerability. 2. Until patches are released, disable or restrict the functionality that allows dynamic file inclusion in Select Core. 3. Implement strict input validation and sanitization on all parameters used in include/require statements to prevent injection of arbitrary file paths. 4. Configure PHP settings to disable remote file inclusion by setting 'allow_url_include' to 'Off' and 'allow_url_fopen' to 'Off' where feasible. 5. Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block RFI attack patterns targeting Select Core. 6. Restrict web server file system permissions to limit the impact of potential file inclusion attacks. 7. Monitor web server logs and intrusion detection systems for suspicious requests indicative of RFI attempts. 8. Conduct security audits and code reviews of customizations or plugins interacting with file inclusion mechanisms. 9. Educate development and operations teams about secure coding practices related to file inclusion vulnerabilities. 10. Maintain regular backups and incident response plans to quickly recover from potential compromises.