CVE-2025-32589 is a Local File Inclusion (LFI) vulnerability found in the odude Flexi – Guest Submit plugin, a PHP-based component used for guest submissions on websites. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary local files on the server. This can lead to disclosure of sensitive files such as configuration files, password stores, or source code, and potentially enable remote code execution if combined with other vulnerabilities or misconfigurations. The affected versions include all releases up to and including 4.28. The vulnerability was publicly disclosed on April 11, 2025, but no known exploits have been reported in the wild to date. The lack of a CVSS score means severity must be assessed based on the nature of the vulnerability: LFI flaws typically have a high impact on confidentiality and integrity, especially in web-facing applications. The flaw does not require authentication, increasing the risk of exploitation. The vulnerability is particularly relevant for websites running PHP and using the Flexi – Guest Submit plugin, which is commonly found in content management systems or custom PHP web applications. The absence of official patches or mitigation links suggests that users must implement manual controls or await vendor updates.

The primary impact of this vulnerability is unauthorized disclosure of sensitive local files on the affected web server, which can compromise confidentiality by exposing credentials, configuration details, or application source code. This can facilitate further attacks such as privilege escalation, remote code execution, or lateral movement within the network. The integrity of the system may also be affected if attackers can manipulate included files or leverage the vulnerability to execute arbitrary code. Availability impact is generally low unless the attacker uses the vulnerability to disrupt services. Since no authentication is required, the attack surface is broad, potentially affecting any internet-facing instance of the vulnerable plugin. Organizations relying on the Flexi – Guest Submit plugin for guest content submission are at risk of data breaches and reputational damage. The lack of known exploits currently limits immediate widespread impact, but the vulnerability remains a significant risk if weaponized.

1. Immediately audit all instances of the odude Flexi – Guest Submit plugin and identify affected versions (<= 4.28). 2. If a vendor patch becomes available, apply it promptly. 3. Implement strict input validation and sanitization on all parameters used in include/require statements to ensure only intended files can be included. 4. Employ whitelisting of allowable file paths and names to prevent arbitrary file inclusion. 5. Disable PHP functions like allow_url_include if not required, and configure open_basedir restrictions to limit accessible file system paths. 6. Monitor web server logs for suspicious requests attempting to manipulate include parameters. 7. Use web application firewalls (WAFs) with rules targeting LFI attack patterns to block malicious requests. 8. Conduct regular security assessments and code reviews focusing on file inclusion logic. 9. Educate developers and administrators about secure coding practices related to file inclusion. 10. Consider isolating or sandboxing the affected application to reduce potential damage from exploitation.