CVE-2025-22508
Published: 09 January 2025
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Event Lite fat-event-lite allows PHP Local File Inclusion.This issue affects FAT Event Lite: from n/a through <= 1.1.
Security Summary
CVE-2025-22508 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion, in the roninwp FAT Event Lite WordPress plugin (fat-event-lite). The flaw allows PHP Local File Inclusion and affects all versions from n/a through 1.1. It is associated with CWE-98 and received a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with high attack complexity and without requiring user interaction or privileges. Exploitation enables local file inclusion, potentially leading to the high confidentiality, integrity, and availability impacts outlined in the CVSS metrics.
The Patchstack advisory provides further details on this unauthenticated non-arbitrary local file inclusion vulnerability in FAT Event Lite version 1.1: https://patchstack.com/database/Wordpress/Plugin/fat-event-lite/vulnerability/wordpress-fat-event-lite-plugin-1-1-unauthenticated-non-arbitrary-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)