Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-27011

CVE-2025-27011: Booking Manager LFI Vulnerability

CVE-2025-27011 is a PHP local file inclusion vulnerability in Booking and Rental Manager for WooCommerce that allows attackers to access unauthorized files. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-27011 Overview

CVE-2025-27011 is a PHP Local File Inclusion (LFI) vulnerability in the magepeopleteam Booking and Rental Manager plugin for WooCommerce. The flaw stems from improper control of filenames in PHP include/require statements [CWE-98]. It affects all versions of the plugin up to and including 2.2.8. Authenticated attackers with low privileges can leverage the issue to include arbitrary local PHP files on the server, potentially leading to code execution and disclosure of sensitive configuration data.

Critical Impact

Successful exploitation allows attackers to read local files and execute attacker-controlled PHP code within the WordPress process, compromising site confidentiality, integrity, and availability.

Affected Products

  • magepeopleteam Booking and Rental Manager for WooCommerce plugin
  • All versions from initial release through 2.2.8
  • WordPress sites running the vulnerable plugin with WooCommerce

Discovery Timeline

  • 2025-04-15 - CVE-2025-27011 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-27011

Vulnerability Analysis

The plugin fails to validate or sanitize user-controlled input that is passed into a PHP file inclusion function. When include, require, include_once, or require_once accepts attacker-influenced paths, an attacker can traverse the filesystem and load arbitrary local PHP files. The vulnerability requires network access and low-privilege authentication, but no user interaction. Once a file is included, its PHP code executes in the context of the WordPress web server process.

Root Cause

The root cause is improper control of a filename used in a PHP file inclusion statement [CWE-98]. The plugin trusts request parameters as path components without applying allow-list validation, path canonicalization, or restricting includes to a known plugin directory. This pattern enables directory traversal sequences such as ../ to escape the intended directory.

Attack Vector

An authenticated attacker submits a crafted HTTP request to a vulnerable plugin endpoint with a manipulated parameter that controls the included file path. The attacker can target local PHP files written by other means, such as uploaded media, log files containing attacker-controlled strings, or session files. Including these files executes their contents as PHP, yielding code execution under the web server account. Further technical detail is available in the Patchstack WordPress Vulnerability Advisory.

No verified public proof-of-concept code is available. The vulnerability mechanism follows the standard LFI pattern documented in [CWE-98].

Detection Methods for CVE-2025-27011

Indicators of Compromise

  • HTTP requests to Booking and Rental Manager plugin endpoints containing path traversal sequences such as ../, ..%2f, or encoded null bytes
  • Unexpected PHP processes spawning shells, outbound connections, or writing files under wp-content/uploads/
  • Web server access logs showing parameters referencing system files like /etc/passwd, wp-config.php, or /proc/self/environ

Detection Strategies

  • Inspect web server and WAF logs for query strings targeting plugin paths with file path parameters and traversal payloads
  • Monitor file integrity for unexpected PHP files appearing in wp-content/uploads/ or other writable directories
  • Alert on PHP error log entries referencing include() or require() failures with attacker-controlled paths

Monitoring Recommendations

  • Enable verbose access logging on WordPress hosts and forward logs to a centralized analytics platform for query analysis
  • Baseline normal request patterns to the Booking and Rental Manager plugin and alert on deviations
  • Track outbound connections from the PHP-FPM or web server process to identify post-exploitation command-and-control activity

How to Mitigate CVE-2025-27011

Immediate Actions Required

  • Identify all WordPress installations running the Booking and Rental Manager for WooCommerce plugin at version 2.2.8 or earlier
  • Deactivate the plugin until a vendor-supplied patched version is installed
  • Rotate WordPress administrator credentials, database credentials, and any secrets stored in wp-config.php if exploitation is suspected
  • Review uploads directories for unauthorized PHP files and remove them

Patch Information

At the time of NVD publication, the advisory lists affected versions through <= 2.2.8. Refer to the Patchstack WordPress Vulnerability Advisory for the most current fixed version and vendor guidance. Apply the vendor patch as soon as it is available through the WordPress plugin repository.

Workarounds

  • Deactivate and remove the Booking and Rental Manager for WooCommerce plugin until a fixed version is released
  • Restrict access to plugin endpoints using a web application firewall rule blocking path traversal sequences in request parameters
  • Disable PHP execution in wp-content/uploads/ and other user-writable directories using web server configuration
  • Enforce least-privilege on the WordPress filesystem so the web server account cannot read sensitive system files
bash
# Example nginx configuration to block PHP execution in uploads
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.