CVE-2025-32158: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-32158) was discovered in aThemes Addons for Elementor plugin versions through 1.0.15. The vulnerability was disclosed on April 4, 2025, and is classified as a PHP Remote File Inclusion vulnerability, specifically related to improper control of filename for Include/Require statements (NVD, Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The weakness is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability requires Contributor level privileges or higher to exploit (Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

As of the disclosure date, no official fix has been released for versions through 1.0.15. Website administrators running vulnerable versions should consider implementing additional access controls and monitoring for suspicious activities (Patchstack).