CVE-2025-67955 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement in PHP Program,' commonly known as a Remote File Inclusion (RFI) flaw, affecting TangibleWP's MyHome Core plugin versions up to 4.1.0. The vulnerability arises because the application does not properly validate or sanitize user-supplied input used in PHP include or require statements. This flaw allows an attacker to supply a crafted filename parameter that causes the PHP interpreter to include a remote file controlled by the attacker. The impact of such an inclusion can range from information disclosure to remote code execution, depending on the payload and server configuration. The CVSS v3.1 base score is 7.5, indicating high severity, with an attack vector over the network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). Although no known exploits are reported in the wild, the vulnerability's characteristics make it a critical risk for web servers running vulnerable versions of MyHome Core. The vulnerability was reserved in December 2025 and published in January 2026, indicating recent discovery and disclosure. The lack of available patches at the time of reporting increases the urgency for organizations to implement temporary mitigations and monitor for updates.

For European organizations, the primary impact of CVE-2025-67955 is the potential compromise of confidentiality due to unauthorized remote file inclusion. Attackers could leverage this vulnerability to read sensitive configuration files, credentials, or other protected data stored on the server. In some configurations, this flaw could be escalated to remote code execution, allowing attackers to execute arbitrary PHP code, leading to full system compromise. This is particularly critical for organizations relying on MyHome Core for real estate or property management websites, which may handle personal data subject to GDPR regulations. A breach could result in data leakage, reputational damage, regulatory fines, and operational disruption. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely and automatically, increasing the risk of widespread attacks. The absence of known exploits currently provides a window for proactive defense, but the high severity score suggests that exploitation attempts may emerge rapidly once public details circulate.

1. Immediate action should focus on monitoring official TangibleWP channels for patches addressing CVE-2025-67955 and applying them as soon as they become available. 2. Until patches are released, implement strict input validation and sanitization on all parameters that influence file inclusion paths, ensuring only expected and safe filenames are accepted. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit file inclusion vulnerabilities, such as those containing URL schemes or traversal sequences. 4. Disable PHP allow_url_include directive if enabled, as this setting facilitates remote file inclusion attacks. 5. Conduct code audits of customizations or integrations with MyHome Core to identify and remediate unsafe include/require usage. 6. Restrict file system permissions to limit the PHP process's ability to access or execute unauthorized files. 7. Monitor web server logs for anomalous requests indicative of exploitation attempts. 8. Educate development and security teams about the risks of improper input handling in PHP applications to prevent similar vulnerabilities in the future.