CVE-2025-67616 is a remote file inclusion (RFI) vulnerability found in the BZOTheme Mella WordPress theme versions up to 1.2.29. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. Specifically, the theme fails to properly validate or sanitize user-supplied input that determines which files are included during execution. This flaw enables an attacker to supply a remote URL or malicious file path, causing the server to fetch and execute arbitrary PHP code from an external source. The vulnerability does not require any authentication or user interaction, making it exploitable remotely by any attacker with network access to the vulnerable web server. The CVSS v3.1 base score of 8.1 reflects the high impact on confidentiality, integrity, and availability, as successful exploitation can lead to full system compromise, data leakage, or denial of service. Although no public exploits have been reported yet, the nature of RFI vulnerabilities and their prevalence in WordPress themes make this a critical issue to address. The vulnerability affects all installations using the Mella theme up to version 1.2.29, which is popular among WordPress users for e-commerce and business websites. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for mitigation through alternative means such as disabling vulnerable features or applying custom code patches.

For European organizations, this vulnerability poses a significant risk to websites running the Mella theme, potentially leading to unauthorized remote code execution. Attackers could leverage this flaw to deface websites, steal sensitive customer or business data, implant malware, or use compromised servers as pivot points for further network intrusion. This can result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions. E-commerce sites and business portals using Mella are particularly at risk, as attackers may target payment processing or customer databases. The vulnerability’s remote and unauthenticated nature increases the likelihood of exploitation, especially in environments with poor security monitoring or outdated WordPress installations. Given the widespread use of WordPress across Europe, the impact could be broad, affecting small and medium enterprises as well as larger organizations relying on this theme for their online presence.

Immediate mitigation should focus on identifying all WordPress installations using the Mella theme version 1.2.29 or earlier. Organizations should monitor for any suspicious web requests or unexpected file inclusions in server logs. Until an official patch is released, administrators can mitigate risk by disabling or removing the vulnerable include/require functionality if feasible, or by implementing strict input validation and sanitization on parameters controlling file inclusion. Employing web application firewalls (WAFs) with rules blocking remote file inclusion attempts can provide additional protection. Regularly updating WordPress core, themes, and plugins remains critical. Organizations should also conduct thorough security audits to detect any signs of compromise and ensure backups are current and tested. Educating developers and administrators about secure coding practices related to file inclusion can prevent similar vulnerabilities in custom themes or plugins.