CVE-2025-32304 Overview
CVE-2025-32304 is a Local File Inclusion (LFI) vulnerability affecting the Mojoomla WPCHURCH WordPress plugin, a church management solution. The vulnerability stems from improper control of filename parameters used in PHP include/require statements, allowing attackers to include arbitrary local files from the server filesystem.
This vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), which describes scenarios where user-controlled input is used to construct file paths for PHP's include or require functions without proper validation.
Critical Impact
Successful exploitation could allow unauthenticated attackers to read sensitive configuration files, access database credentials, or potentially achieve remote code execution through log poisoning or other LFI-to-RCE techniques.
Affected Products
- WPCHURCH WordPress Plugin versions up to and including 2.7.0
- WordPress installations using vulnerable WPCHURCH plugin versions
- Church management systems built on the WPCHURCH framework
Discovery Timeline
- 2026-01-06 - CVE-2025-32304 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-32304
Vulnerability Analysis
The WPCHURCH plugin fails to properly sanitize user-supplied input before using it in PHP file inclusion functions. This allows attackers to manipulate file path parameters to include arbitrary files from the local filesystem. The vulnerability requires no authentication and can be exploited remotely over the network, though the attack complexity is considered high due to specific conditions that must be met for successful exploitation.
When exploited, this LFI vulnerability can lead to disclosure of sensitive information such as WordPress configuration files (wp-config.php), system files, or plugin source code. In more severe scenarios, attackers may chain this vulnerability with other techniques to achieve remote code execution.
Root Cause
The root cause of this vulnerability lies in inadequate input validation and sanitization of user-controlled parameters that are subsequently used in PHP's include(), require(), include_once(), or require_once() functions. The WPCHURCH plugin fails to implement proper path canonicalization, directory traversal prevention, or whitelist-based file inclusion controls.
Attack Vector
The attack is network-based and does not require authentication. An attacker can craft malicious HTTP requests containing path traversal sequences (such as ../) or absolute file paths to include files outside the intended directory scope. The exploitation flow typically involves:
- Identifying vulnerable parameters that accept file path input
- Injecting path traversal sequences to escape the intended directory
- Specifying target files to include (e.g., /etc/passwd, wp-config.php)
- Extracting sensitive information from the included file content
For detailed technical information about this vulnerability, refer to the Patchstack WordPress Vulnerability Report.
Detection Methods for CVE-2025-32304
Indicators of Compromise
- Unusual HTTP requests containing path traversal patterns (../, ..%2f, %2e%2e/) targeting WPCHURCH plugin endpoints
- Web server logs showing requests attempting to access sensitive files like wp-config.php or /etc/passwd
- Unexpected file access attempts logged by security monitoring tools
- Evidence of sensitive file content in HTTP responses or application logs
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal attempts in request parameters
- Implement server-side logging and monitoring for file inclusion anomalies
- Use intrusion detection systems (IDS) with signatures for LFI attack patterns
- Monitor WordPress plugin activity logs for suspicious file access patterns
- Conduct regular vulnerability scans of WordPress installations to identify outdated plugins
Monitoring Recommendations
- Enable detailed access logging on web servers to capture full request URIs and parameters
- Configure alerting for requests containing common LFI payloads targeting the WPCHURCH plugin directory
- Monitor file system access patterns for the WordPress installation directory
- Set up real-time alerts for attempts to access sensitive configuration files
How to Mitigate CVE-2025-32304
Immediate Actions Required
- Review the WPCHURCH plugin for available security updates beyond version 2.7.0
- Consider temporarily disabling the WPCHURCH plugin if no patch is available and the functionality is not critical
- Implement WAF rules to block path traversal attempts targeting the plugin
- Restrict file system permissions to limit readable files from the web server context
- Audit web server logs for evidence of exploitation attempts
Patch Information
Organizations should monitor the Patchstack WordPress Vulnerability Report for updates regarding security patches from the vendor. Update the WPCHURCH plugin to a patched version as soon as one becomes available. Until a patch is released, implement the workarounds listed below to reduce exposure.
Workarounds
- Deploy a Web Application Firewall (WAF) with rules to block LFI/path traversal patterns in requests to the WPCHURCH plugin
- Disable the WPCHURCH plugin temporarily if church management functionality can be handled through alternative means
- Implement server-level PHP configuration hardening by setting open_basedir to restrict file access
- Configure disable_functions in php.ini to limit dangerous PHP functions
- Apply the principle of least privilege to web server file system permissions
# PHP configuration hardening example (php.ini or .htaccess)
# Restrict PHP file operations to specific directories
php_admin_value open_basedir /var/www/html:/tmp
# Disable potentially dangerous functions
php_admin_value disable_functions system,exec,shell_exec,passthru,popen,proc_open
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
