A critical vulnerability, identified as CVE-2025-68530, has been discovered in the pavothemes Bookory theme for WordPress. This flaw allows an unauthenticated remote attacker to trick the application into including and executing malicious code from an external server, potentially leading to a full compromise of the affected website and underlying server.

This vulnerability is a Remote File Inclusion (RFI) flaw. It exists because the application fails to properly validate user-supplied input that is used to construct a file path for an include() or require() statement in PHP. An unauthenticated remote attacker can craft a special request, manipulating an input parameter to point to a malicious PHP file hosted on an attacker-controlled server. The vulnerable application will then fetch and execute this remote file, granting the attacker complete control over the web server with the privileges of the web service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the web server's confidentiality, integrity, and availability. Potential consequences include theft of sensitive data (such as customer information, payment details, and intellectual property), installation of ransomware or other malware, website defacement, and the use of the compromised server to launch further attacks against the organization's internal network. Such an incident could result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Update the pavothemes Bookory theme to the latest version available from the vendor (a version later than 2.2.7). After patching, thoroughly monitor for any signs of post-exploitation activity and review historical web server access logs for indicators of compromise.

Proactive Monitoring: System administrators should actively monitor web server logs for suspicious requests containing URLs or unusual file paths (e.g., http://, ftp://, ../../) in query parameters. Monitor for unexpected outbound network connections from the web server, especially to unknown IP addresses. File Integrity Monitoring (FIM) should be used to detect the creation of unauthorized files in web directories.

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• Implement a Web Application Firewall (WAF) with rules designed to block common file inclusion attack patterns.
• In the server's php.ini configuration file, disable allow_url_include and allow_url_fopen to prevent the PHP interpreter from fetching remote files. Note: This will prevent RFI but may not mitigate a Local File Inclusion (LFI) variant of this attack.
• Restrict outbound network traffic from the web server, allowing connections only to trusted and necessary endpoints.

Public Exploit Available: False (as of Dec 24, 2025)

Given the critical CVSS score of 9.8 and the high likelihood of exploitation leading to remote code execution, this vulnerability poses a severe and immediate risk to the organization. We strongly recommend that the pavothemes Bookory theme be updated to a patched version with the highest priority. If patching cannot be performed immediately, the compensating controls listed above, particularly the use of a WAF, should be implemented as a temporary measure. Although this CVE is not currently on the CISA KEV list, its severity warrants immediate attention and remediation.