CVE-2025-64287
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-64287 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the Edge-Themes Alloggio - Hotel Booking WordPress theme. This issue impacts all versions from n/a through 1.8 inclusive. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-98.
Remote attackers with network access can exploit this vulnerability without authentication or user interaction, though it requires high attack complexity. Successful exploitation allows attackers to perform local file inclusion, potentially leading to high-impact confidentiality, integrity, and availability violations, such as unauthorized access to sensitive files or system compromise on the targeted WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/alloggio/vulnerability/wordpress-alloggio-hotel-booking-theme-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve provides details on this vulnerability in the Alloggio theme. Security practitioners should consult this reference for recommended mitigations, such as updating to a patched version if available.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an exploitable flaw in a public-facing WordPress theme allowing remote local file inclusion without authentication, directly enabling T1190: Exploit Public-Facing Application.