CVE-2025-32156: 
WordPress vulnerability analysis and mitigation

The Just Post Preview Widget WordPress plugin contains a Local File Inclusion vulnerability (CVE-2025-32156) discovered on April 4, 2025. This security flaw affects versions up to and including 1.1.1 of the plugin, developed by Alex Prokopenko / JustCoded. The vulnerability is classified as a PHP Remote File Inclusion issue, specifically related to improper control of filename for include/require statements (WPScan, Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received varying CVSS scores from different sources: a CVSS 3.1 Base Score of 7.5 (HIGH) according to Patchstack with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, while WPScan rates it at 8.8 (high) (NVD, WPScan).

The vulnerability allows authenticated attackers with contributor-level access or higher to include and execute arbitrary files on the server. This can lead to bypass of access controls, exposure of sensitive data, and potential code execution when 'safe' file types like images can be uploaded and included (WPScan, Patchstack).

No official fix is currently available for this vulnerability. The recommended mitigation strategy is to remove and replace the software with an alternative solution, as the plugin is considered abandoned and unlikely to receive future updates or security fixes (Patchstack).