CVE-2025-68067 is a vulnerability classified as PHP Remote File Inclusion (RFI) found in the Select-Themes Stockholm Core WordPress theme, affecting versions up to and including 2.4.6. The root cause is improper control over the filename parameter used in PHP include or require statements, which allows an attacker to specify a remote file to be included and executed by the server. This vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS v3.1 score of 7.5 reflects a high severity, primarily due to the impact on confidentiality, as attackers can execute arbitrary PHP code remotely, potentially leading to data theft or further compromise. The vulnerability does not affect integrity or availability directly but can be leveraged for further attacks. No known exploits have been reported in the wild at the time of publication, but the nature of RFI vulnerabilities historically makes them attractive targets. The Stockholm Core theme is a popular WordPress theme used by various websites, which increases the attack surface. The vulnerability was published on December 16, 2025, and was assigned by Patchstack. No official patches or mitigation links were provided at the time of reporting, emphasizing the need for proactive defensive measures.

For European organizations, this vulnerability poses a significant risk to websites using the Stockholm Core theme, especially those handling sensitive customer data or providing critical services. Successful exploitation can lead to unauthorized disclosure of confidential information, including user credentials, personal data, or business-sensitive content. Attackers could also use the vulnerability as a foothold to deploy malware, pivot within networks, or conduct further attacks such as data exfiltration or ransomware deployment. The lack of required authentication and user interaction increases the likelihood of exploitation. Organizations in sectors such as e-commerce, media, finance, and government are particularly vulnerable due to their reliance on WordPress-based websites and the potential value of compromised data. Additionally, reputational damage and regulatory penalties under GDPR could result from breaches stemming from this vulnerability.

Organizations should immediately inventory their WordPress installations to identify the use of the Stockholm Core theme and verify the version in use. Until an official patch is released, apply temporary mitigations such as disabling remote file inclusion in PHP configurations (e.g., setting allow_url_include to Off), restricting file inclusion paths, and employing strict input validation and sanitization on any user-supplied parameters related to file inclusion. Deploying a Web Application Firewall (WAF) with rules to detect and block suspicious include/require requests can reduce risk. Monitoring web server logs for unusual file inclusion attempts or unexpected remote requests is critical for early detection. Once patches become available from Select-Themes or trusted sources, apply them promptly. Additionally, consider isolating WordPress environments and limiting permissions to reduce the impact of potential exploitation. Regular security audits and vulnerability scanning should be integrated into the maintenance cycle to detect similar issues proactively.