CVE-2025-67615 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement' in the PHP-based bslthemes Myour product, specifically affecting versions up to 1.5.1. This vulnerability is a form of Remote File Inclusion (RFI), where the application fails to properly validate or sanitize user-supplied input used in PHP include or require statements. As a result, an attacker can supply a crafted filename or URL that causes the server to include and execute malicious remote code. The vulnerability does not require authentication or user interaction, and the attack vector is network-based, making it remotely exploitable. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with a high attack complexity but no privileges or user interaction needed. Although no public exploits are currently known, the potential for remote code execution makes this a critical risk. The vulnerability affects web servers running the Myour theme, which is used in PHP environments, often in CMS or e-commerce contexts. The lack of patches or official fixes at the time of publication increases the urgency for mitigation. The vulnerability was reserved in December 2025 and published in January 2026, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a significant threat to web applications using the Myour theme, potentially leading to remote code execution, data breaches, defacement, or denial of service. Confidentiality is at risk as attackers can execute arbitrary code to access sensitive data. Integrity can be compromised through unauthorized modification of files or databases. Availability may be affected if attackers disrupt services or deploy ransomware. Organizations relying on PHP-based CMS or e-commerce platforms that integrate Myour themes are particularly vulnerable. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR), and financial losses. Given the remote exploitability and lack of required privileges, attackers can target vulnerable systems en masse, increasing the risk of widespread compromise across European web infrastructure.

Immediate mitigation steps include: 1) Applying any available patches or updates from bslthemes for Myour; 2) If patches are unavailable, disable remote file inclusion in PHP by setting 'allow_url_include=Off' and 'allow_url_fopen=Off' in php.ini; 3) Implement strict input validation and sanitization on all user inputs that influence include/require statements, employing whitelisting of allowed filenames; 4) Employ web application firewalls (WAFs) configured to detect and block suspicious file inclusion attempts; 5) Conduct thorough code reviews and audits of PHP applications using Myour to identify and remediate unsafe include patterns; 6) Monitor logs for unusual requests or errors indicative of exploitation attempts; 7) Isolate vulnerable web servers and restrict network access where possible; 8) Educate developers and administrators about secure coding practices related to file inclusion. These measures go beyond generic advice by focusing on configuration hardening, proactive detection, and code-level remediation specific to this vulnerability.