Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themekraft BuddyForms buddyforms allows PHP Local File Inclusion.This issue affects BuddyForms: from n/a through <= 2.9.0.
Published: 2025-04-04
Score: 7.5 High
EPSS: 1.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an instance of improper control of filenames for include/require statements in PHP (CWE‑98), permitting an attacker to cause the BuddyForms plugin to include arbitrary local files. User‑supplied filenames are passed to PHP’s include/require without proper validation, which can allow the reading of sensitive files or the execution of malicious PHP code if the supplied path contains a file with executable content. This leads to local file inclusion that may expose confidential data or enable remote code execution when the attacker can supply a suitable file.

Affected Systems

Themekraft BuddyForms plugin used in WordPress installations, all versions up to and including 2.9.0, are affected. The issue applies regardless of other plugins or the WordPress core version.

Risk and Exploitability

CVSS score of 7.5 designates high severity, while an EPSS score of less than 1% indicates exploitation is currently rare but still possible. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a public‑facing form or request that allows the attacker to specify a filename, though the precise input mechanism is not detailed in the description. The flaw is local, requiring some level of access to the WordPress installation, such as interacting with the plugin’s features.

Generated by OpenCVE AI on May 1, 2026 at 00:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BuddyForms plugin to a version newer than 2.9.0.
  • If an upgrade cannot be performed immediately, disable or remove the plugin’s feature that accepts user‑provided filenames until an official fix is released.
  • Configure PHP to limit directory access for the plugin, for example by enabling open_basedir or disabling allow_url_include, so that only approved directories can be read by the plugin.

Generated by OpenCVE AI on May 1, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9854 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Sven Lehnert BuddyForms allows PHP Local File Inclusion. This issue affects BuddyForms: from n/a through 2.8.15.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Sven Lehnert BuddyForms allows PHP Local File Inclusion. This issue affects BuddyForms: from n/a through 2.8.15. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themekraft BuddyForms buddyforms allows PHP Local File Inclusion.This issue affects BuddyForms: from n/a through <= 2.9.0.
Title WordPress BuddyForms Plugin <= 2.8.15 - Local File Inclusion vulnerability WordPress BuddyForms Plugin <= 2.9.0 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 26 Nov 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Themekraft
Themekraft buddyforms
CPEs cpe:2.3:a:themekraft:buddyforms:*:*:*:*:*:wordpress:*:*
Vendors & Products Themekraft
Themekraft buddyforms

Fri, 04 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Sven Lehnert BuddyForms allows PHP Local File Inclusion. This issue affects BuddyForms: from n/a through 2.8.15.
Title WordPress BuddyForms Plugin <= 2.8.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themekraft Buddyforms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:04:09.252Z

Reserved: 2025-04-04T10:00:50.063Z

Link: CVE-2025-32151

cve-icon Vulnrichment

Updated: 2025-04-04T19:53:34.522Z

cve-icon NVD

Status : Modified

Published: 2025-04-04T16:15:23.370

Modified: 2026-04-23T15:28:39.170

Link: CVE-2025-32151

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T00:45:05Z

Weaknesses