CVE-2025-32304 is a vulnerability classified under CWE-98, which pertains to improper control of filenames used in PHP include or require statements. This flaw exists in the Mojoomla WPCHURCH WordPress plugin, versions up to 2.7.0. The vulnerability allows an attacker to perform Remote File Inclusion (RFI), where malicious external files can be included and executed by the PHP interpreter. This occurs because the plugin fails to properly validate or sanitize user-supplied input that determines the filename to be included. Exploiting this vulnerability does not require authentication or user interaction, but it has a high attack complexity, likely due to the need for specific crafted requests or environmental conditions. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the server, potentially leading to full system compromise. The CVSS v3.1 score is 8.1 (high), reflecting the critical impact on confidentiality, integrity, and availability. No public exploits or patches are currently available, but the vulnerability is publicly disclosed and should be treated with urgency. The plugin is commonly used in WordPress sites serving religious communities, making it a niche but impactful target.

For European organizations, the impact of this vulnerability can be significant, especially for those operating WordPress sites with the WPCHURCH plugin installed. Successful exploitation could lead to unauthorized access, data theft, defacement, or complete server takeover. This threatens the confidentiality of sensitive user data, the integrity of website content, and the availability of online services. Religious and community organizations using WPCHURCH may face reputational damage and operational disruption. Given the widespread use of WordPress across Europe and the presence of religious community websites, the attack surface is non-trivial. Additionally, compromised servers could be leveraged as a foothold for lateral movement within organizational networks or as part of larger botnets, increasing the broader cybersecurity risk. The high CVSS score underscores the critical nature of the threat, necessitating immediate attention from IT security teams.

1. Monitor the Mojoomla WPCHURCH plugin vendor announcements closely and apply security patches immediately once released. 2. Until a patch is available, consider disabling or uninstalling the WPCHURCH plugin if feasible, especially on high-risk or public-facing sites. 3. Implement strict input validation and sanitization on all parameters that influence file inclusion to prevent injection of malicious paths or URLs. 4. Employ Web Application Firewalls (WAFs) configured to detect and block suspicious file inclusion attempts and anomalous HTTP requests targeting PHP include parameters. 5. Restrict PHP configurations to disable remote file inclusion (e.g., setting allow_url_include=Off in php.ini) to reduce risk. 6. Conduct regular security audits and code reviews of custom plugins or themes that may interact with WPCHURCH. 7. Monitor logs for unusual activity indicative of exploitation attempts, such as unexpected file access or execution patterns. 8. Educate website administrators on the risks of installing unverified plugins and the importance of timely updates.