CVE-2025-32672 is a Local File Inclusion (LFI) vulnerability found in the Ultimate Bootstrap Elements for Elementor plugin developed by g5theme. This vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include unintended files from the server. The affected versions are all releases up to and including 1.4.9. LFI vulnerabilities can enable attackers to read sensitive files, such as configuration files or password stores, and in some cases, execute arbitrary code if combined with other vulnerabilities or misconfigurations. The flaw is due to insufficient validation or sanitization of user-supplied input that controls the file path in PHP functions. Although no public exploits have been reported yet, the vulnerability is critical because it can be exploited remotely without authentication, depending on the plugin's exposure. The plugin is widely used in WordPress environments to enhance Elementor page builder functionality, making many websites potentially vulnerable. The absence of a CVSS score means severity must be estimated based on the nature of the vulnerability, its impact on confidentiality, integrity, and availability, and the ease of exploitation. Given the potential for remote code execution or sensitive data exposure, this vulnerability is serious and requires immediate attention from site administrators and developers.

The impact of CVE-2025-32672 can be significant for organizations running WordPress sites with the Ultimate Bootstrap Elements for Elementor plugin. Successful exploitation could lead to unauthorized disclosure of sensitive files such as configuration files, database credentials, or other critical data stored on the server. In worst-case scenarios, attackers might achieve remote code execution by including malicious files or chaining this vulnerability with others, leading to full server compromise. This can result in data breaches, defacement, malware distribution, or use of the compromised server as a pivot point for further attacks. The vulnerability affects the confidentiality, integrity, and availability of affected systems. Organizations relying on this plugin for their web presence, especially those handling sensitive user data or critical business operations, face increased risk of reputational damage, financial loss, and regulatory penalties. Since the plugin is used globally, the threat landscape is broad, and attackers may target high-value websites or those with weaker security postures.

To mitigate CVE-2025-32672, organizations should immediately update the Ultimate Bootstrap Elements for Elementor plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should consider disabling or removing the plugin if feasible. Implement strict input validation and sanitization on any user-supplied data that controls file paths to prevent malicious manipulation. Employ web application firewalls (WAFs) with rules designed to detect and block LFI attack patterns targeting PHP include/require statements. Restrict PHP file inclusion paths using configuration directives such as open_basedir to limit accessible directories. Monitor server logs for suspicious file inclusion attempts or unusual access patterns. Conduct regular security audits and vulnerability scans to identify and remediate similar issues proactively. Additionally, ensure that file permissions on the server are properly configured to minimize the impact of any file inclusion attempts.