CVE-2025-27011 Overview
CVE-2025-27011 is a PHP Local File Inclusion (LFI) vulnerability in the magepeopleteam Booking and Rental Manager plugin for WooCommerce. The flaw stems from improper control of filenames in PHP include/require statements [CWE-98]. It affects all versions of the plugin up to and including 2.2.8. Authenticated attackers with low privileges can leverage the issue to include arbitrary local PHP files on the server, potentially leading to code execution and disclosure of sensitive configuration data.
Critical Impact
Successful exploitation allows attackers to read local files and execute attacker-controlled PHP code within the WordPress process, compromising site confidentiality, integrity, and availability.
Affected Products
- magepeopleteam Booking and Rental Manager for WooCommerce plugin
- All versions from initial release through 2.2.8
- WordPress sites running the vulnerable plugin with WooCommerce
Discovery Timeline
- 2025-04-15 - CVE-2025-27011 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-27011
Vulnerability Analysis
The plugin fails to validate or sanitize user-controlled input that is passed into a PHP file inclusion function. When include, require, include_once, or require_once accepts attacker-influenced paths, an attacker can traverse the filesystem and load arbitrary local PHP files. The vulnerability requires network access and low-privilege authentication, but no user interaction. Once a file is included, its PHP code executes in the context of the WordPress web server process.
Root Cause
The root cause is improper control of a filename used in a PHP file inclusion statement [CWE-98]. The plugin trusts request parameters as path components without applying allow-list validation, path canonicalization, or restricting includes to a known plugin directory. This pattern enables directory traversal sequences such as ../ to escape the intended directory.
Attack Vector
An authenticated attacker submits a crafted HTTP request to a vulnerable plugin endpoint with a manipulated parameter that controls the included file path. The attacker can target local PHP files written by other means, such as uploaded media, log files containing attacker-controlled strings, or session files. Including these files executes their contents as PHP, yielding code execution under the web server account. Further technical detail is available in the Patchstack WordPress Vulnerability Advisory.
No verified public proof-of-concept code is available. The vulnerability mechanism follows the standard LFI pattern documented in [CWE-98].
Detection Methods for CVE-2025-27011
Indicators of Compromise
- HTTP requests to Booking and Rental Manager plugin endpoints containing path traversal sequences such as ../, ..%2f, or encoded null bytes
- Unexpected PHP processes spawning shells, outbound connections, or writing files under wp-content/uploads/
- Web server access logs showing parameters referencing system files like /etc/passwd, wp-config.php, or /proc/self/environ
Detection Strategies
- Inspect web server and WAF logs for query strings targeting plugin paths with file path parameters and traversal payloads
- Monitor file integrity for unexpected PHP files appearing in wp-content/uploads/ or other writable directories
- Alert on PHP error log entries referencing include() or require() failures with attacker-controlled paths
Monitoring Recommendations
- Enable verbose access logging on WordPress hosts and forward logs to a centralized analytics platform for query analysis
- Baseline normal request patterns to the Booking and Rental Manager plugin and alert on deviations
- Track outbound connections from the PHP-FPM or web server process to identify post-exploitation command-and-control activity
How to Mitigate CVE-2025-27011
Immediate Actions Required
- Identify all WordPress installations running the Booking and Rental Manager for WooCommerce plugin at version 2.2.8 or earlier
- Deactivate the plugin until a vendor-supplied patched version is installed
- Rotate WordPress administrator credentials, database credentials, and any secrets stored in wp-config.php if exploitation is suspected
- Review uploads directories for unauthorized PHP files and remove them
Patch Information
At the time of NVD publication, the advisory lists affected versions through <= 2.2.8. Refer to the Patchstack WordPress Vulnerability Advisory for the most current fixed version and vendor guidance. Apply the vendor patch as soon as it is available through the WordPress plugin repository.
Workarounds
- Deactivate and remove the Booking and Rental Manager for WooCommerce plugin until a fixed version is released
- Restrict access to plugin endpoints using a web application firewall rule blocking path traversal sequences in request parameters
- Disable PHP execution in wp-content/uploads/ and other user-writable directories using web server configuration
- Enforce least-privilege on the WordPress filesystem so the web server account cannot read sensitive system files
# Example nginx configuration to block PHP execution in uploads
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

