CVE-2025-67957 is a vulnerability classified as 'Improper Control of Filename for Include/Require Statement in PHP Program,' commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability, affecting TangibleWP's Listivo Core plugin for WordPress up to version 2.3.77. The vulnerability arises because the application fails to properly validate or sanitize user-supplied input used in PHP include or require statements. This improper control allows an attacker to manipulate the filename parameter to include arbitrary files, potentially from remote servers (RFI) or local system files (LFI). Successful exploitation can lead to remote code execution, enabling attackers to run malicious PHP code on the server, steal sensitive data, modify or delete files, and disrupt service availability. The CVSS v3.1 base score is 8.1, indicating high severity, with attack vector being network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), but with high attack complexity (AC:H), meaning exploitation requires specific conditions or knowledge. The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be considered a significant risk for affected installations. The vulnerability affects Listivo Core, a WordPress plugin used for directory and listing websites, which is popular in various markets. The lack of available patches at the time of disclosure necessitates immediate attention from administrators to implement temporary mitigations.

For European organizations, exploitation of CVE-2025-67957 could result in severe consequences including unauthorized access to sensitive data, website defacement, deployment of malware or ransomware, and disruption of business operations. Organizations relying on Listivo Core for critical directory or listing services may face data breaches impacting customer privacy and regulatory compliance, especially under GDPR. The ability to execute arbitrary code remotely without authentication increases the risk of widespread compromise. Additionally, attackers could leverage compromised servers as pivot points for lateral movement within corporate networks. The reputational damage and potential financial losses from service downtime and incident response could be substantial. Given the high adoption of WordPress and PHP-based CMS solutions across Europe, the threat surface is significant, particularly for SMEs and public sector entities using Listivo Core or derivative products.

1. Monitor TangibleWP and Listivo Core vendor channels for official patches and apply them immediately upon release. 2. Until patches are available, implement strict input validation and sanitization on all parameters that influence file inclusion paths, ensuring only allowed filenames or paths are accepted. 3. Employ Web Application Firewalls (WAFs) with rules designed to detect and block suspicious include/require patterns and remote file inclusion attempts. 4. Disable allow_url_include and allow_url_fopen directives in PHP configurations to prevent remote file inclusion. 5. Restrict file permissions and use PHP open_basedir to limit accessible directories for PHP scripts. 6. Conduct regular security audits and code reviews to identify similar vulnerabilities. 7. Monitor logs for unusual access patterns or errors related to file inclusion. 8. Educate developers and administrators about secure coding practices related to file handling in PHP. 9. Consider isolating or sandboxing vulnerable applications to limit potential damage from exploitation.