CVE-2025-32151: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-32151) was discovered in the WordPress BuddyForms plugin, affecting versions through 2.8.15. The vulnerability was reported on February 19, 2025, and publicly disclosed on April 4, 2025. The issue was identified in Sven Lehnert's BuddyForms plugin, which is commonly used in WordPress installations (Patchstack).

The vulnerability is classified as an 'Improper Control of Filename for Include/Require Statement in PHP Program' (CWE-98). It received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor-level privileges or higher to exploit (NVD, Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database compromise depending on the system configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. The issue affects versions up to 2.8.17, and users are advised to monitor for updates from the plugin developer (Patchstack).