CVE-2025-48332: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-48332) was discovered in PublishPress Gutenberg Blocks affecting versions through 3.3.1. The vulnerability was disclosed on August 14, 2025, and is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It received a CVSS v3.1 base score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The attack vector is network-based, requires high attack complexity, needs no privileges, but does require user interaction (NVD).

This vulnerability could allow attackers to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to complete database compromise depending on the system configuration (Patchstack).

Users are advised to update to version 3.3.2 or later immediately to resolve the vulnerability. For Patchstack users, virtual patching is available to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).