Cyber Resilience

CVE-2025-32151

High

Published: 04 April 2025

Published
04 April 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0186 83.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32151 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themekraft Buddyforms. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a PHP Local File Inclusion issue (CWE-98) stemming from improper control of filenames in include/require statements. It affects the BuddyForms WordPress plugin by Themekraft, impacting all versions through 2.9.0.

An authenticated attacker with low privileges can supply a crafted filename over the network to force inclusion of arbitrary local files. Successful exploitation, which carries high attack complexity, can result in disclosure or modification of sensitive data and full compromise of the application's confidentiality, integrity, and availability.

The sole reference points to a Patchstack advisory entry for the issue, which records the vulnerability under CVE-2025-32151. The associated EPSS score has remained flat at 0.0186 with no material increase since disclosure.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themekraft BuddyForms buddyforms allows PHP Local File Inclusion.This issue affects BuddyForms: from n/a through <= 2.9.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

themekraft
buddyforms
≤ 2.8.15

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References