How to fix CVE-2025-28888?

Within 24 hours: Identify all systems running GiftXtore 1.7.4 and earlier; isolate affected instances from production if possible. Within 7 days: Implement WAF rules to block malicious file inclusion patterns; apply input validation and output encoding at the application layer; review access logs for exploitation attempts. Within 30 days: Contact vendor for patch timeline; evaluate alternative solutions or upgrade path; conduct security assessment of affected systems for indicators of compromise.

Is PHP affected by CVE-2025-28888?

A high-severity file inclusion vulnerability in GiftXtore versions up to 1.7.4 could allow attackers to access sensitive files or execute malicious code on affected systems.

CVE-2025-28888

EUVD-2025-17484 HIGH

2025-06-09 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:21 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:21 euvd

EUVD-2025-17484

CVE Published

Jun 09, 2025 - 16:15 nvd

HIGH 8.1

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore allows PHP Local File Inclusion. This issue affects GiftXtore: from n/a through 1.7.4.

Analysis

PHP Local File Inclusion (LFI) vulnerability in BZOTheme GiftXtore versions through 1.7.4 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. This is a high-severity vulnerability (CVSS 8.1) that can lead to complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability stems from improper validation of filename parameters in PHP include/require statements, enabling attackers to access sensitive files or execute malicious code without authentication.

Technical Context

This vulnerability exploits CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a classic server-side code injection flaw. The affected product BZOTheme GiftXtore (CPE likely: cpe:2.3:a:bzotheme:giftxtore:*:*:*:*:*:*:*:*) improperly handles user-supplied input when constructing file paths for PHP include() or require() functions. Rather than Remote File Inclusion (RFI), this specific instance is Local File Inclusion (LFI), meaning attackers can only access files already present on the server filesystem. However, LFI can be escalated to RCE through log file poisoning, session file manipulation, or by including PHP wrappers (data://, php://filter) depending on PHP configuration. The vulnerability likely exists in a template engine, theme loader, or module inclusion mechanism within the GiftXtore e-commerce platform.

Affected Products

GiftXtore (1.7.4 and all prior versions)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +40

POC: 0

CVE-2025-28888 vulnerability details – vuln.today

Back

CVE-2025-28888

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

CVE-2025-28888

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code