Cyber Resilience

CVE-2025-32519

High

Published: 11 April 2025

Published
11 April 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0149 81.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32519 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themeatelier Idonate. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2025-32519 is an improper control of filename for include/require statement in a PHP program, classified as a PHP Local File Inclusion flaw under CWE-98. It affects the IDonate plugin for WordPress by Foysal Imran, impacting all versions through 2.1.18.

Unauthenticated remote attackers can exploit the issue over the network without privileges or user interaction. Successful exploitation allows inclusion of arbitrary local files, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.1 score.

The reference advisory from Patchstack documents the local file inclusion vulnerability in the WordPress IDonate plugin at version 2.1.8 and earlier. The EPSS score remains flat at 0.0149 with no material increase observed.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Foysal Imran IDonate idonate allows PHP Local File Inclusion.This issue affects IDonate: from n/a through <= 2.1.18.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

themeatelier
idonate
≤ 2.1.16

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References