Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-32151

CVE-2025-32151: BuddyForms Path Traversal Vulnerability

CVE-2025-32151 is a path traversal vulnerability in Themekraft BuddyForms allowing PHP local file inclusion attacks. Versions up to 2.9.0 are affected. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-32151 Overview

CVE-2025-32151 is a PHP Local File Inclusion (LFI) vulnerability in the Themekraft BuddyForms WordPress plugin. The flaw stems from improper control of filename parameters used in PHP include or require statements, classified as [CWE-98]. Attackers with low-privileged authenticated access can manipulate file path parameters to include arbitrary local PHP files on the server. The vulnerability affects all BuddyForms versions from initial release through 2.9.0. Successful exploitation can lead to arbitrary code execution, sensitive file disclosure, and full compromise of the WordPress site.

Critical Impact

Authenticated attackers can include arbitrary local PHP files, leading to code execution and complete site compromise on affected WordPress installations.

Affected Products

  • Themekraft BuddyForms plugin for WordPress, all versions up to and including 2.9.0
  • WordPress sites with the BuddyForms plugin active
  • Hosting environments running vulnerable BuddyForms installations

Discovery Timeline

  • 2025-04-04 - CVE-2025-32151 published to the National Vulnerability Database
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-32151

Vulnerability Analysis

The vulnerability resides in BuddyForms code that passes user-controllable input directly into a PHP include or require statement. Because the plugin fails to validate or sanitize the filename parameter, attackers can supply traversal sequences or alternate paths to load unintended PHP files. The issue is categorized under [CWE-98] as PHP Remote File Inclusion, though exploitation in this case is constrained to Local File Inclusion. An attacker authenticated with low privileges can leverage this flaw across the network without user interaction. Successful inclusion of attacker-controlled or sensitive server files results in code execution within the WordPress process context.

Root Cause

The root cause is missing input validation on a filename parameter consumed by an include/require call in BuddyForms. The plugin trusts request-supplied path data instead of restricting includes to an allow-list of vetted files. Refer to the Patchstack Vulnerability Report for technical details.

Attack Vector

Exploitation occurs over the network against the WordPress HTTP endpoint exposed by BuddyForms. The attacker requires a low-privileged account on the target site but no user interaction. By submitting a crafted parameter value that resolves to a server-side path, the attacker forces PHP to include that file. If combined with file upload primitives or log poisoning techniques, the attacker can achieve remote code execution. The EPSS score of 1.855% (83rd percentile) indicates a meaningful likelihood of exploitation activity relative to the broader CVE population.

No verified public proof-of-concept code is currently linked in the advisory. See the Patchstack Vulnerability Report for further technical context.

Detection Methods for CVE-2025-32151

Indicators of Compromise

  • HTTP requests to BuddyForms endpoints containing path traversal sequences such as ../ or absolute filesystem paths in parameter values
  • Unexpected PHP errors referencing include() or require() with non-standard file paths in web server or PHP logs
  • Web server access to sensitive files such as wp-config.php, /etc/passwd, or session files following BuddyForms requests
  • New or modified PHP files in the WordPress uploads or plugin directories shortly after suspicious BuddyForms traffic

Detection Strategies

  • Inspect WordPress and web server logs for BuddyForms request parameters containing ../, null bytes, or php:// wrappers
  • Correlate authenticated low-privilege user sessions with anomalous file access patterns on the underlying host
  • Apply web application firewall rules that flag known LFI payload patterns targeting WordPress plugin endpoints

Monitoring Recommendations

  • Enable file integrity monitoring on the wp-content/plugins/buddyforms/ directory and WordPress core files
  • Forward PHP error logs and Apache or Nginx access logs to a central SIEM for retention and correlation
  • Alert on outbound network connections from the PHP-FPM or web server process to uncommon destinations

How to Mitigate CVE-2025-32151

Immediate Actions Required

  • Upgrade BuddyForms to a version newer than 2.9.0 as soon as the vendor releases a fixed build
  • Audit WordPress user accounts and revoke unnecessary low-privilege roles that could be abused for authenticated exploitation
  • Review web server and PHP logs for prior exploitation attempts referencing BuddyForms parameters
  • Rotate WordPress secrets and database credentials if compromise is suspected

Patch Information

The vendor advisory tracked by Patchstack identifies BuddyForms versions through 2.9.0 as vulnerable. Administrators should monitor the Patchstack Vulnerability Report and the official Themekraft BuddyForms plugin page for the patched release and apply it across all WordPress instances.

Workarounds

  • Deactivate and remove the BuddyForms plugin until a patched version is installed
  • Deploy a web application firewall rule blocking path traversal characters and php:// wrappers in BuddyForms request parameters
  • Restrict PHP open_basedir and disable risky functions to limit the impact of arbitrary file inclusion
  • Enforce least privilege on WordPress accounts to reduce the pool of users able to reach authenticated endpoints
bash
# Example WAF rule pattern (ModSecurity) to block LFI attempts on BuddyForms endpoints
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
  "chain,deny,status:403,id:1000321,msg:'BuddyForms LFI attempt CVE-2025-32151'"
  SecRule ARGS "@rx (\.\./|php://|/etc/passwd|wp-config\.php)" "t:none,t:lowercase"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.