CVE-2025-32519
Published: 11 April 2025
Summary
CVE-2025-32519 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themeatelier Idonate. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2025-32519 is an improper control of filename for include/require statement in a PHP program, classified as a PHP Local File Inclusion flaw under CWE-98. It affects the IDonate plugin for WordPress by Foysal Imran, impacting all versions through 2.1.18.
Unauthenticated remote attackers can exploit the issue over the network without privileges or user interaction. Successful exploitation allows inclusion of arbitrary local files, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.1 score.
The reference advisory from Patchstack documents the local file inclusion vulnerability in the WordPress IDonate plugin at version 2.1.8 and earlier. The EPSS score remains flat at 0.0149 with no material increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10787
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Foysal Imran IDonate idonate allows PHP Local File Inclusion.This issue affects IDonate: from n/a through <= 2.1.18.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.