CVE-2025-32692: 
WordPress vulnerability analysis and mitigation

CVE-2025-32692 is a Local File Inclusion vulnerability affecting WP Subscription Forms WordPress plugin versions through 1.2.4. The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion'. This security issue was discovered and reported by LVT-tholv2k on March 10, 2025, and was publicly disclosed on April 9, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability requires contributor-level privileges to exploit (NVD, Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could potentially be exposed, which might lead to complete database compromise depending on the server configuration (Patchstack).

The recommended solution is to update to version 1.2.5 or later of the WP Subscription Forms plugin. For Patchstack users, enabling auto-update for vulnerable plugins is advised (Patchstack).