CVE-2025-32663 is a Local File Inclusion (LFI) vulnerability found in the roninwp FAT Cooming Soon WordPress plugin, affecting versions up to 1.1. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements. Specifically, the plugin fails to adequately validate or sanitize user input that determines which files are included during execution. This flaw allows an attacker to manipulate the filename parameter to include arbitrary files from the server's filesystem. Exploiting this vulnerability can lead to disclosure of sensitive information such as configuration files, source code, or credentials stored on the server. In some cases, it may also enable remote code execution if combined with other vulnerabilities or misconfigurations. The vulnerability does not require authentication, increasing its risk profile. Although no public exploits are currently known, the widespread use of WordPress and its plugins makes this a critical concern. The lack of a CVSS score indicates that the vulnerability is newly published and may not yet have been fully assessed. The issue highlights the importance of secure coding practices around dynamic file inclusion in PHP applications.

The impact of CVE-2025-32663 can be severe for organizations using the affected plugin. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including credentials, configuration files, and source code, which can facilitate further attacks. In some scenarios, attackers might leverage this vulnerability to execute arbitrary code, leading to full system compromise. This can result in data breaches, website defacement, service disruption, and loss of customer trust. Since the vulnerability does not require authentication, any attacker with network access to the vulnerable WordPress site can attempt exploitation. Organizations relying on this plugin for website functionality or marketing may face operational disruptions and reputational damage. The risk is amplified in environments where the web server has access to sensitive internal resources or where other vulnerabilities exist that can be chained with this LFI.

To mitigate CVE-2025-32663, organizations should immediately update the roninwp FAT Cooming Soon plugin to a patched version once available. Until a patch is released, administrators should consider disabling or removing the plugin if it is not essential. Implement strict input validation and sanitization on all parameters controlling file inclusion, ensuring only expected and safe filenames are accepted. Employ allowlists for file paths and avoid dynamic inclusion of files based on user input. Restrict file system permissions of the web server to limit access to sensitive files. Enable Web Application Firewalls (WAFs) with rules to detect and block LFI attack patterns. Monitor web server logs for suspicious requests involving file inclusion attempts. Conduct regular security audits and vulnerability scans on WordPress installations and plugins. Educate developers and administrators on secure coding practices related to file inclusion in PHP.