Cyber Resilience

CVE-2025-52732

High

Published: 14 August 2025

Published
14 August 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0056 68.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52732 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-52732 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Remote File Inclusion (CWE-98), in the RealMag777 GMap Targeting WordPress plugin (gmap-targeting). The flaw enables PHP Local File Inclusion and affects all versions from n/a through 1.1.6. Published on 2025-08-14, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a low-privileged authenticated user (PR:L) over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary local file inclusion and execution of malicious PHP code.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gmap-targeting/vulnerability/wordpress-google-map-targeting-plugin-1-1-6-local-file-inclusion-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 GMap Targeting gmap-targeting allows PHP Local File Inclusion.This issue affects GMap Targeting: from n/a through <= 1.1.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and deployment/execution of malicious PHP code as a web shell (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13408Shared CWE-98
CVE-2026-39387Shared CWE-98
CVE-2026-3425Shared CWE-98
CVE-2026-27383Shared CWE-98
CVE-2024-51319Shared CWE-98
CVE-2025-30845Shared CWE-98
CVE-2025-26985Shared CWE-98
CVE-2025-69078Shared CWE-98
CVE-2026-24538Shared CWE-98
CVE-2025-54031Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied filenames in PHP include/require statements to block arbitrary local file inclusion exploits.

prevent

Mandates timely remediation of the specific PHP file inclusion flaw in GMap Targeting plugin versions through <=1.1.6 via patching.

detect

Supports vulnerability scanning to identify and prioritize the presence of this known CVE in deployed WordPress plugins.

References