CVE-2025-32925 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-32925?

CVE-2025-32925 has a CVSS score of 8.3 (HIGH). This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects WordPress sites using the SUMO Reward Points plugin, potentially leading to sensitive information disclosure or remote code execution. All users of the plugin up to version 30.7.0 are affected.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects WordPress sites using the SUMO Reward Points plugin, potentially leading to sensitive information disclosure or remote code execution. All users of the plugin up to version 30.7.0 are affected.

💻 Affected Systems

Products:

SUMO Reward Points WordPress Plugin

Versions: All versions up to and including 30.7.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin activated.

📦 What is this software?

Sumo Reward Points by Fantasticplugins

View all CVEs affecting Sumo Reward Points →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, allowing attackers to steal sensitive data, install backdoors, or pivot to other systems.

🟠

Likely Case

Sensitive file disclosure (configuration files, database credentials, user data) leading to further exploitation or data theft.

🟢

If Mitigated

Limited impact if file permissions are restrictive and web server runs with minimal privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires specific conditions but is straightforward once identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 30.7.0

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/rewardsystem/vulnerability/wordpress-sumo-reward-points-plugin-30-7-0-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Update the SUMO Reward Points plugin to the latest version via WordPress admin panel. 2. Verify the update completed successfully. 3. Test plugin functionality after update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the SUMO Reward Points plugin until patched.

wp plugin deactivate rewardsystem

Restrict File Access

linux

Configure web server to restrict access to sensitive directories.

# Add to .htaccess for Apache:
<FilesMatch "\.(php|inc|conf|ini|log|sql)$">
  Order allow,deny
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block LFI patterns
Restrict PHP execution in upload directories and disable dangerous functions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for plugin version. If SUMO Reward Points is installed and version is 30.7.0 or earlier, the system is vulnerable.

Check Version:

wp plugin get rewardsystem --field=version

Verify Fix Applied:

Verify plugin version is higher than 30.7.0 in WordPress admin panel and test plugin functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual include/require statements in PHP logs
Access to sensitive files like /etc/passwd, wp-config.php
Multiple failed file inclusion attempts

Network Indicators:

HTTP requests with file path traversal patterns
Requests to plugin endpoints with file parameters

SIEM Query:

source="web_logs" AND (uri="*include=*" OR uri="*require=*" OR uri="*file=*") AND (uri="*../*" OR uri="*/etc/*" OR uri="*wp-config*")

📊 Metadata

CVE ID: CVE-2025-32925

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.14% exploit probability (34.8th percentile)

Published: May 19, 2025

Last Updated: June 9, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/rewardsystem/vulnerability/wordpress-sumo-reward-points-plugin-30-7-0-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32925, you might also want to check these: