CVE-2025-32151

Published Apr 4, 2025

Last updated a month ago

CVSS high 7.5

Overview

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themekraft BuddyForms buddyforms allows PHP Local File Inclusion.This issue affects BuddyForms: from n/a through <= 2.9.0.
Source
audit@patchstack.com
NVD status
Modified
Products
buddyforms

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

audit@patchstack.com
CWE-98

Social media

Hype score
Not currently trending

  1. ๐Ÿšจ CVE-2025-32151 ๐Ÿ”ด HIGH (7.5) ๐Ÿข Sven Lehnert - BuddyForms ๐Ÿ—๏ธ Unknown Version ๐Ÿ”— https://t.co/o1zZDaocbX #CyberCron #VulnAlert #InfoSec https://t.co/sLvYXPPEy1

    @cybercronai

    6 Apr 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Missing Authorization vulnerability in Themekraft BuddyForms buddyforms allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects BuddyForms: from n/a through <= 2.9.0.โ€ขCVE-2025-62973
  2. The Post Form โ€“ Registration Form โ€“ Profile Form for User Profiles โ€“ Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buddyforms_nav' shortcode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.โ€ขCVE-2024-12038
  3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themekraft BuddyForms buddyforms allows Stored XSS.This issue affects BuddyForms: from n/a through <= 2.8.12.โ€ขCVE-2024-47377
  4. The Post Form โ€“ Registration Form โ€“ Profile Form for User Profiles โ€“ Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators.โ€ขCVE-2024-8246
  5. The BuddyForms plugin for WordPress is vulnerable to Email Verification Bypass in all versions up to, and including, 2.8.9 via the use of an insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification.โ€ขCVE-2024-5149

References

Sources include official advisories and independent security research.