CVE-2025-32155: 
WordPress vulnerability analysis and mitigation

CVE-2025-32155 is a Local File Inclusion vulnerability discovered in the WordPress Beds24 Online Booking plugin. The vulnerability was identified on April 4, 2025, affecting versions through 2.0.26 of the Beds24 Online Booking plugin. This security issue is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical assessment indicates that the vulnerability requires network access (AV:N), has high attack complexity (AC:H), requires low privileges (PR:L), needs no user interaction (UI:N), has unchanged scope (S:U), and can potentially result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents on the screen. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been patched in version 2.0.29 of the Beds24 Online Booking plugin. Users are advised to update to version 2.0.29 or later to remediate the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).