CVE-2025-39526: Hotel Booking Plugin LFI Vulnerability

CVE-2025-39526 Overview

CVE-2025-39526 is a PHP Local File Inclusion (LFI) vulnerability in the nicdark Hotel Booking WordPress plugin (nd-booking). The flaw stems from Improper Control of Filename for Include/Require Statement in PHP Program [CWE-98]. Attackers can manipulate file path parameters passed to PHP include or require statements to load arbitrary local files from the server. The vulnerability affects all versions of Hotel Booking up to and including 3.6. Successful exploitation impacts confidentiality, integrity, and availability of the underlying WordPress installation.

Critical Impact

Unauthenticated attackers can include arbitrary local PHP files, potentially leading to source code disclosure, sensitive data exposure, and remote code execution when combined with file upload primitives.

Affected Products

• nicdark Hotel Booking (nd-booking) WordPress plugin versions through 3.6
• WordPress sites with the nd-booking plugin installed and activated
• Hosting environments running the vulnerable plugin alongside writable upload directories

Discovery Timeline

• 2025-04-17 - CVE-2025-39526 published to the National Vulnerability Database
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2025-39526

Vulnerability Analysis

The vulnerability resides in the nd-booking plugin's handling of user-supplied input passed to PHP include, require, include_once, or require_once statements. The plugin fails to validate or sanitize filename parameters before passing them to file inclusion functions. An attacker can supply path traversal sequences such as ../ to escape the intended directory and reference arbitrary .php files on the filesystem.

The issue is classified under CWE-98, which covers improper control of filenames used in include or require statements. Although the CWE title references Remote File Inclusion, this instance is constrained to Local File Inclusion based on the advisory. Exploitation requires no authentication and can be triggered over the network. The current EPSS data places this vulnerability in the upper third of likely-exploited issues tracked.

Root Cause

The root cause is missing input validation on a filename parameter that flows directly into a PHP file inclusion sink. The plugin trusts user-controlled HTTP request data and concatenates it into an include path without enforcing an allow-list of permitted files or canonicalizing the resulting path. PHP's file inclusion functions execute any PHP code found in the included file, so any attacker-controlled path resolution becomes a code execution primitive.

Attack Vector

An unauthenticated remote attacker sends a crafted HTTP request to a vulnerable endpoint exposed by the nd-booking plugin. The request manipulates the vulnerable filename parameter using directory traversal sequences to point at sensitive files such as wp-config.php, log files, or session storage. When combined with techniques such as log poisoning or uploading a benign-looking file that contains PHP, the LFI escalates to arbitrary code execution under the web server user. Refer to the Patchstack Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-39526

Indicators of Compromise

• HTTP requests to nd-booking plugin endpoints containing path traversal sequences such as ../, ..%2f, or encoded variants in query string parameters
• Web server access logs showing requests that reference wp-config.php, /etc/passwd, or PHP session files via plugin parameters
• Unexpected PHP files appearing in plugin or upload directories after suspicious inbound traffic
• Outbound connections from the web server process to attacker-controlled infrastructure following plugin requests

Detection Strategies

• Inspect web access logs for requests targeting /wp-content/plugins/nd-booking/ paths with suspicious file parameters
• Deploy WAF rules that flag directory traversal patterns in HTTP parameters destined for WordPress plugin endpoints
• Monitor PHP error logs for include/require warnings referencing unexpected file paths
• Establish file integrity monitoring on the WordPress installation root and wp-content/uploads directory

Monitoring Recommendations

• Alert on any read access to wp-config.php originating from the web server process outside of normal application startup
• Correlate web request anomalies with new outbound network connections from the PHP-FPM or Apache worker process
• Track plugin version inventory across WordPress estates and flag any host running nd-booking 3.6 or earlier

How to Mitigate CVE-2025-39526

Immediate Actions Required

• Identify all WordPress sites running the nd-booking plugin and confirm the installed version
• Deactivate and remove the Hotel Booking plugin on any site where a patched release is not available
• Restrict access to WordPress administrative and plugin endpoints behind a WAF or IP allow-list while remediation is in progress
• Rotate any credentials, API keys, and database secrets stored in wp-config.php if exploitation is suspected

Patch Information

No fixed version is identified in the available advisory data. The vulnerability affects Hotel Booking versions through 3.6. Administrators should consult the Patchstack Vulnerability Report for the latest vendor remediation status and apply any subsequently published patch immediately.

Workarounds

• Remove or disable the nd-booking plugin until a verified patch is available
• Configure open_basedir in PHP to restrict file inclusion to the WordPress document root and required directories
• Set allow_url_include = Off and allow_url_fopen = Off in php.ini to limit inclusion primitives
• Apply virtual patching through a WAF rule that blocks path traversal sequences in requests to nd-booking endpoints

# Example php.ini hardening to limit file inclusion abuse
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"
disable_functions = "system,exec,shell_exec,passthru,proc_open,popen"