CVE-2025-32672: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-32672) was discovered in g5theme Ultimate Bootstrap Elements for Elementor plugin versions through 1.4.9. The vulnerability was disclosed on April 9, 2025, and is classified as a PHP Remote File Inclusion vulnerability, specifically an Improper Control of Filename for Include/Require Statement issue (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 HIGH with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (NVD).

This vulnerability is considered highly dangerous and expected to become mass exploited. It could allow a malicious actor to include local files of the target website and display their output on the screen. Files containing sensitive information, such as database credentials, could potentially be exposed, leading to complete database takeover depending on the configuration (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately (Patchstack).