Platform
wordpress
Component
idonate
Fixed in
2.1.19
CVE-2025-32519 describes a PHP Local File Inclusion (LFI) vulnerability within the IDonate application. This flaw arises from improper control of filenames used in include/require statements, allowing an attacker to manipulate file paths. Successful exploitation could lead to sensitive information disclosure or even remote code execution, depending on the files included. This vulnerability impacts IDonate versions from 0.0.0 up to and including 2.1.18. A fix is expected to be released by the vendor.
The primary impact of CVE-2025-32519 is the potential for an attacker to include arbitrary files on the server. This can be exploited to read sensitive configuration files, source code, or even other application files. If the attacker can include a file containing malicious code (e.g., a PHP script), they could achieve remote code execution (RCE) and gain complete control of the affected system. The blast radius extends to any data accessible through the included files, potentially including user data, database credentials, and internal system information. While the vulnerability is classified as a Local File Inclusion, the ability to execute arbitrary code significantly elevates the risk, making it comparable to vulnerabilities that allow direct code injection. The attacker does not need authentication to exploit this vulnerability, making it a high-priority concern.
CVE-2025-32519 was published on 2025-04-11. Its CVSS score of 8.1 (HIGH) indicates a significant risk. The vulnerability is not currently listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. However, the ease of exploitation (LFI) and potential for RCE mean it remains a serious threat. Public proof-of-concept (POC) code is likely to emerge quickly, increasing the risk of exploitation. Monitor security advisories from Foysal Imran and relevant security communities for updates.
Exploit Status
EPSS
0.55% (68% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32519 is to upgrade to a patched version of IDonate as soon as it becomes available. Until a patch is released, several workarounds can be implemented to reduce the risk. First, restrict file access permissions to the IDonate directory, limiting the attacker's ability to read sensitive files. Implement strict input validation and sanitization on any user-supplied data used in file paths. Consider using a Web Application Firewall (WAF) with rules to block attempts to include arbitrary files. If a WAF is not available, configure your proxy server to filter out suspicious file inclusion attempts. Regularly monitor system logs for unusual file access patterns that may indicate exploitation. After upgrading, confirm the vulnerability is resolved by attempting to trigger the file inclusion with a non-existent file; the application should return an error, not include the file.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
It's a PHP Local File Inclusion (LFI) vulnerability in IDonate, allowing attackers to include arbitrary files and potentially execute code.
If you are using IDonate versions 0.0.0 through 2.1.18, you are potentially affected by this vulnerability.
Upgrade to the latest patched version of IDonate as soon as it's available. Until then, implement workarounds like restricting file access and using a WAF.
While not currently listed on KEV or EPSS, the ease of exploitation suggests a potential for active exploitation, and POC code may emerge.
Refer to the official NVD entry for CVE-2025-32519 and monitor security advisories from Foysal Imran and relevant security communities.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.