CVE-2025-52732: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-52732) was discovered in the Google Map Targeting WordPress plugin affecting versions up to and including 1.1.6. The vulnerability was reported on June 3, 2025, by researcher LVT-tholv2k and publicly disclosed on July 31, 2025. This security flaw is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. It is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability requires subscriber-level access or higher to exploit (Rapid7, Patchstack).

The vulnerability allows authenticated attackers with subscriber-level privileges to include and execute arbitrary files on the server. This can lead to bypass of access controls, exposure of sensitive data, and potential code execution if attackers can upload and include seemingly safe file types like images. The vulnerability could potentially allow complete database takeover depending on the server configuration (Patchstack, Rapid7).

Users are advised to update to version 1.1.7 or later immediately to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to the fixed version (Patchstack).