CVE-2025-32519: PHP Remote File Inclusion in IDonate
Platform
wordpress
Component
idonate
Fixed in
2.1.19
CVE-2025-32519 describes a PHP Local File Inclusion (LFI) vulnerability within the IDonate application. This flaw arises from improper control of filenames used in include/require statements, allowing an attacker to manipulate file paths. Successful exploitation could lead to sensitive information disclosure or even remote code execution, depending on the files included. This vulnerability impacts IDonate versions from 0.0.0 up to and including 2.1.18. A fix is expected to be released by the vendor.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2025-32519 is the potential for an attacker to include arbitrary files on the server. This can be exploited to read sensitive configuration files, source code, or even other application files. If the attacker can include a file containing malicious code (e.g., a PHP script), they could achieve remote code execution (RCE) and gain complete control of the affected system. The blast radius extends to any data accessible through the included files, potentially including user data, database credentials, and internal system information. While the vulnerability is classified as a Local File Inclusion, the ability to execute arbitrary code significantly elevates the risk, making it comparable to vulnerabilities that allow direct code injection. The attacker does not need authentication to exploit this vulnerability, making it a high-priority concern.
Exploitation Context
CVE-2025-32519 was published on 2025-04-11. Its CVSS score of 8.1 (HIGH) indicates a significant risk. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. However, the ease of exploitation (LFI) and potential for RCE mean it remains a serious threat. Public proof-of-concept (POC) code is likely to emerge quickly, increasing the risk of exploitation. Monitor security advisories from Foysal Imran and relevant security communities for updates.
Threat Intelligence
Exploit Status
EPSS
0.55% (68% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Package Information
- Active installs
- 100Niche
- Plugin rating
- 4.2
- Requires WordPress
- 5.3+
- Compatible up to
- 6.9.4
- Requires PHP
- 7.4+
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2025-32519 is to upgrade to a patched version of IDonate as soon as it becomes available. Until a patch is released, several workarounds can be implemented to reduce the risk. First, restrict file access permissions to the IDonate directory, limiting the attacker's ability to read sensitive files. Implement strict input validation and sanitization on any user-supplied data used in file paths. Consider using a Web Application Firewall (WAF) with rules to block attempts to include arbitrary files. If a WAF is not available, configure your proxy server to filter out suspicious file inclusion attempts. Regularly monitor system logs for unusual file access patterns that may indicate exploitation. After upgrading, confirm the vulnerability is resolved by attempting to trigger the file inclusion with a non-existent file; the application should return an error, not include the file.
How to fix
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-32519 in IDonate?
It's a PHP Local File Inclusion (LFI) vulnerability in IDonate, allowing attackers to include arbitrary files and potentially execute code.
Am I affected by CVE-2025-32519 in IDonate?
If you are using IDonate versions 0.0.0 through 2.1.18, you are potentially affected by this vulnerability.
How do I fix CVE-2025-32519 in IDonate?
Upgrade to the latest patched version of IDonate as soon as it's available. Until then, implement workarounds like restricting file access and using a WAF.
Is CVE-2025-32519 being actively exploited?
While not currently listed on KEV or EPSS, the ease of exploitation suggests a potential for active exploitation, and POC code may emerge.
Where can I find the official IDonate advisory for CVE-2025-32519?
Refer to the official NVD entry for CVE-2025-32519 and monitor security advisories from Foysal Imran and relevant security communities.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.