CVE-2025-52732
Published: 14 August 2025
Summary
CVE-2025-52732 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-52732 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Remote File Inclusion (CWE-98), in the RealMag777 GMap Targeting WordPress plugin (gmap-targeting). The flaw enables PHP Local File Inclusion and affects all versions from n/a through 1.1.6. Published on 2025-08-14, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by a low-privileged authenticated user (PR:L) over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary local file inclusion and execution of malicious PHP code.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gmap-targeting/vulnerability/wordpress-google-map-targeting-plugin-1-1-6-local-file-inclusion-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24789
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 GMap Targeting gmap-targeting allows PHP Local File Inclusion.This issue affects GMap Targeting: from n/a through <= 1.1.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and deployment/execution of malicious PHP code as a web shell (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied filenames in PHP include/require statements to block arbitrary local file inclusion exploits.
Mandates timely remediation of the specific PHP file inclusion flaw in GMap Targeting plugin versions through <=1.1.6 via patching.
Supports vulnerability scanning to identify and prioritize the presence of this known CVE in deployed WordPress plugins.