CVE-2025-32672
Published: 11 April 2025
Summary
CVE-2025-32672 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2025-32672 is a PHP Local File Inclusion flaw classified under CWE-98 and described as improper control of filenames for include/require statements in PHP programs. It affects the Ultimate Bootstrap Elements for Elementor WordPress plugin developed by g5theme, impacting all versions through 1.4.9.
An unauthenticated remote attacker can exploit the flaw over the network without user interaction to include arbitrary local files on the server. Successful exploitation can result in high-impact outcomes including disclosure of sensitive information, modification of data, or full disruption of the affected application, consistent with the CVSS 8.1 rating.
The vulnerability is catalogued in the Patchstack database, which identifies the affected plugin versions and serves as the primary advisory reference for this local file inclusion issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-10739
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor ultimate-bootstrap-elements-for-elementor allows PHP Local File Inclusion.This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through <= 1.4.9.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.