CVE-2025-32151
Published: 04 April 2025
Summary
CVE-2025-32151 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themekraft Buddyforms. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 16.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a PHP Local File Inclusion issue (CWE-98) stemming from improper control of filenames in include/require statements. It affects the BuddyForms WordPress plugin by Themekraft, impacting all versions through 2.9.0.
An authenticated attacker with low privileges can supply a crafted filename over the network to force inclusion of arbitrary local files. Successful exploitation, which carries high attack complexity, can result in disclosure or modification of sensitive data and full compromise of the application's confidentiality, integrity, and availability.
The sole reference points to a Patchstack advisory entry for the issue, which records the vulnerability under CVE-2025-32151. The associated EPSS score has remained flat at 0.0186 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-9854
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themekraft BuddyForms buddyforms allows PHP Local File Inclusion.This issue affects BuddyForms: from n/a through <= 2.9.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.