CVE-2025-32153: 
WordPress vulnerability analysis and mitigation

The CVE-2025-32153 vulnerability was discovered in the VG WooCarousel WordPress plugin, affecting versions up to and including 1.3. This Local File Inclusion (LFI) vulnerability was disclosed on April 4, 2025, and allows authenticated users with Contributor-level access or higher to include local files from the target website (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program, also known as PHP Remote File Inclusion. It has been assigned a CVSS v3.1 base score of 7.5 (High) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-98 (NVD).

If exploited, this vulnerability could allow attackers to access and view local files on the target website, potentially exposing sensitive information such as database credentials. Depending on the server configuration, this could lead to complete database takeover (Patchstack).

No official fix is available for this vulnerability. The recommended mitigation strategy is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive future updates or security fixes (Patchstack).