CVE-2025-48332: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-48332) was discovered in PublishPress Gutenberg Blocks affecting versions through 3.3.1. The vulnerability was reported by researcher LVT-tholv2k on June 15, 2025, and was publicly disclosed by Patchstack on July 28, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It received a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires no authentication to exploit and falls under the OWASP Top 10 category A3: Injection (Patchstack).

This vulnerability could allow malicious actors to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database compromise depending on the system configuration (Patchstack).

The vulnerability has been fixed in version 3.3.2 of the Gutenberg Blocks plugin. Users are strongly advised to update to version 3.3.2 or later immediately. For Patchstack users, a virtual patch has been issued to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).