CVE-2025-64287
Published: 06 November 2025
Summary
CVE-2025-64287 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-64287 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the Edge-Themes Alloggio - Hotel Booking WordPress theme. This issue impacts all versions from n/a through 1.8 inclusive. The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-98.
Remote attackers with network access can exploit this vulnerability without authentication or user interaction, though it requires high attack complexity. Successful exploitation allows attackers to perform local file inclusion, potentially leading to high-impact confidentiality, integrity, and availability violations, such as unauthorized access to sensitive files or system compromise on the targeted WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/alloggio/vulnerability/wordpress-alloggio-hotel-booking-theme-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve provides details on this vulnerability in the Alloggio theme. Security practitioners should consult this reference for recommended mitigations, such as updating to a patched version if available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38060
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a through <= 1.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an exploitable flaw in a public-facing WordPress theme allowing remote local file inclusion without authentication, directly enabling T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the improper filename control flaw in the Alloggio WordPress theme's PHP include/require statements by applying patches or updates to vulnerable versions <=1.8.
Validates and sanitizes user-supplied filenames at application input points to block malicious local file paths exploited in this PHP Local File Inclusion vulnerability.
Scans the WordPress system for vulnerabilities like CVE-2025-64287 to identify the presence of the affected Alloggio theme and trigger remediation.