Attack Vectors

CVE-2025-27362 is a Critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting the Petito – Animals and Pets Store WooCommerce Theme (slug: bw-petito) in versions up to and including 1.6.4. It is an unauthenticated Local File Inclusion (LFI) issue, meaning an attacker can potentially trigger it remotely over the internet without logging in and without any user interaction.

In practical business terms, this type of flaw can allow an attacker to force your site to load files from the server in unintended ways. If an attacker can get a file onto the server (for example, through any upload functionality elsewhere in the environment), they may be able to have the site include and run that file as code. This can also be leveraged to access sensitive server-side files, depending on how the site is configured.

Security Weakness

The underlying weakness is that the vulnerable Petito theme versions (≤ 1.6.4) allow file inclusion in a way that is not sufficiently restricted. As described in the public advisory, this makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, enabling the execution of PHP code contained in those files.

This is especially high risk for organizations running WooCommerce because themes are tightly coupled to the customer-facing storefront. When a theme exposes an LFI path, it can become a direct bridge to bypass intended access controls, retrieve sensitive data, or progress toward full site compromise in environments where “safe” file types (like images) can be uploaded and then included.

Remediation: Update Petito to version 1.6.5 (or newer patched version) as recommended by the source advisory: Wordfence Threat Intel entry.

Technical or Business Impacts

If exploited, the impacts can be severe and immediate because this is rated Critical and does not require authentication. Potential outcomes include exposure of sensitive data (customer information, configuration details, API keys), bypass of access controls, and in certain scenarios, remote code execution by executing PHP code from included files.

For marketing directors and business owners, the risk translates into brand and revenue damage: storefront downtime, defacement, SEO spam injections, unauthorized redirects, compromised checkout experiences, and loss of customer trust. It can also trigger compliance and reporting obligations if customer data is exposed, increasing legal costs and operational disruption. A compromised WooCommerce site can additionally be used as a launchpad for further attacks (fraud, phishing pages, or malware distribution), extending the impact beyond the website itself.

Reference: CVE-2025-27362.