CVE-2025-32614: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion (LFI) vulnerability has been identified in Ashan Perera's EventON WordPress plugin affecting versions through 2.3.2. The vulnerability is tracked as CVE-2025-32614 and was disclosed on April 9, 2025. This security issue is classified as a PHP Remote File Inclusion vulnerability, specifically related to improper control of filename for include/require statements (Patchstack, NVD).

The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has received a CVSS v3.1 base score of 8.8 (High), with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability can be exploited by unauthenticated attackers, indicating a low complexity attack vector that requires user interaction (Patchstack).

The vulnerability allows malicious actors to include local files of the target website and display their contents. This could potentially expose sensitive information such as database credentials, depending on the server configuration. In cases where database credentials are exposed, this could lead to complete database takeover (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement mitigation measures immediately (Patchstack).