CVE-2025-32304
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the WPCHURCH plugin (Church Management) from all versions up to 2.7.0. Attackers can potentially read sensitive files or execute arbitrary code.
💻 Affected Systems
- WordPress WPCHURCH Plugin (Church Management)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through local file inclusion leading to remote code execution, data exfiltration, and complete site takeover.
Likely Case
Sensitive file disclosure (configuration files, database credentials, user data) and limited code execution within web server context.
If Mitigated
Limited impact with proper file permissions, web application firewalls, and restricted PHP functions.
🎯 Exploit Status
Simple HTTP requests can trigger the vulnerability. Public proof-of-concept available through security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WPCHURCH' or 'Church Management'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 2.7.1+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate WPCHURCH plugin until patched
wp plugin deactivate church-management
Web Application Firewall rule
linuxBlock requests containing local file inclusion patterns
ModSecurity rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny,status:403,msg:'Local File Inclusion attempt'
🧯 If You Can't Patch
- Remove plugin entirely and use alternative church management solution
- Implement strict file permissions (chmod 600 on sensitive files) and disable dangerous PHP functions (allow_url_include=Off)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for WPCHURCH version ≤2.7.0Check Version:
wp plugin get church-management --field=versionVerify Fix Applied:
Confirm plugin version is 2.7.1 or higher in WordPress plugins list📡 Detection & Monitoring
Log Indicators:
- HTTP requests with ../ patterns in parameters
- PHP include/require errors in web server logs
- Access to unusual file paths in web root
Network Indicators:
- HTTP GET/POST requests with file path traversal sequences (../, ..\)
- Unexpected file downloads from web server
SIEM Query:
web_access_logs WHERE url CONTAINS '../' AND user_agent NOT CONTAINS 'scanner'