CVE-2025-27264
Published: 03 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-27264 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98, that enables PHP Local File Inclusion in the Doctor Appointment Booking WordPress plugin developed by Creativeitem. The issue affects all versions of the plugin from n/a through 1.0.0.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network by low-privileged authenticated users through a high-complexity attack that requires no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, such as unauthorized access to local files or potential code execution depending on the included files.
The Patchstack advisory provides further details on the vulnerability in the Doctor Appointment Booking plugin version 1.0.0, including assessment and recommended actions: https://patchstack.com/database/Wordpress/Plugin/doctor-appointment-booking/vulnerability/wordpress-doctor-appointment-booking-plugin-1-0-0-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications for initial access (T1190) and unauthorized access to local files for data collection (T1005).