CVE-2025-23915

CVE-2025-23915 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (CWE-98), described as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion in the FAT Event Lite WordPress plugin by roninwp. The flaw affects all versions of the plugin up to and including 1.1. It carries a CVSS v3.1 base score of 7.5 (High), reflecting network accessibility with high attack complexity, low privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability in an unchanged scope.

Exploitation requires an authenticated attacker with low privileges (PR:L) to access the network-exposed plugin functionality (AV:N). Due to high attack complexity (AC:H) and no need for user interaction (UI:N), a successful attack allows the adversary to perform local file inclusion, potentially leading to high confidentiality loss through file disclosure, integrity compromise via included file manipulation, and availability disruption, all within the plugin's scope (S:U).

The Patchstack advisory details this authenticated non-arbitrary local file inclusion vulnerability and provides associated mitigation guidance at https://patchstack.com/database/Wordpress/Plugin/fat-event-lite/vulnerability/wordpress-fat-event-lite-plugin-1-1-authenticated-non-arbitrary-local-file-inclusion-vulnerability?_s_id=cve.