Cyber Resilience

CVE-2025-32672

High

Published: 11 April 2025

Published
11 April 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0115 78.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32672 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 21.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2025-32672 is a PHP Local File Inclusion flaw classified under CWE-98 and described as improper control of filenames for include/require statements in PHP programs. It affects the Ultimate Bootstrap Elements for Elementor WordPress plugin developed by g5theme, impacting all versions through 1.4.9.

An unauthenticated remote attacker can exploit the flaw over the network without user interaction to include arbitrary local files on the server. Successful exploitation can result in high-impact outcomes including disclosure of sensitive information, modification of data, or full disruption of the affected application, consistent with the CVSS 8.1 rating.

The vulnerability is catalogued in the Patchstack database, which identifies the affected plugin versions and serves as the primary advisory reference for this local file inclusion issue.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Ultimate Bootstrap Elements for Elementor ultimate-bootstrap-elements-for-elementor allows PHP Local File Inclusion.This issue affects Ultimate Bootstrap Elements for Elementor: from n/a through <= 1.4.9.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References