Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows PHP Local File Inclusion.This issue affects Doctor Appointment Booking: from n/a through <= 1.0.0.
Published: 2025-03-03
Score: 7.5 High
EPSS: 1.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When the Doctor Appointment Booking plugin receives a filename it includes it directly in a PHP include statement without adequate validation, which matches CWE-98. As a result an attacker can supply arbitrary paths in an HTTP request and access files on the server that should not be publicly readable, such as configuration files, logs, or application source code. If the server permits execution of PHP files that contain the attacker’s code or if a previously compromised file is overwritten, further compromise may be possible, but the CVE entry does not explicitly state that remote code execution is guaranteed.

Affected Systems

The vulnerability affects installations of Creativeitem’s Doctor Appointment Booking plugin on WordPress sites that are running version 1.0.0 or earlier. All WordPress sites that have not updated from the initial release are therefore susceptible.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is rated high severity, but an EPSS score of 1% indicates a low likelihood of active exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed public exploits at the time of this assessment. The attack vector most likely involves a crafted HTTP request to the plugin that references a file path designed to traverse directories and include a local file.

Generated by OpenCVE AI on May 2, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Doctor Appointment Booking plugin to a version that implements proper filename validation for include/require statements
  • If an immediate update is not possible, disable the plugin and prevent direct web access to its PHP files via web‑server configuration
  • Modify the plugin’s code to restrict include paths to a known whitelist of directories and reject any path containing traversal characters such as "../"
  • Configure a web application firewall to detect and block requests containing suspicious path‑traversal patterns
  • Apply appropriate file permissions to the plugin’s directories so that only the web‑server user can read them

Generated by OpenCVE AI on May 2, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5605 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Doctor Appointment Booking allows PHP Local File Inclusion. This issue affects Doctor Appointment Booking: from n/a through 1.0.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Doctor Appointment Booking allows PHP Local File Inclusion. This issue affects Doctor Appointment Booking: from n/a through 1.0.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creativeitem Doctor Appointment Booking doctor-appointment-booking allows PHP Local File Inclusion.This issue affects Doctor Appointment Booking: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Doctor Appointment Booking allows PHP Local File Inclusion. This issue affects Doctor Appointment Booking: from n/a through 1.0.0.
Title WordPress Doctor Appointment Booking Plugin <= 1.0.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:46.692Z

Reserved: 2025-02-21T16:44:52.127Z

Link: CVE-2025-27264

cve-icon Vulnrichment

Updated: 2025-03-03T15:23:05.256Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:58.123

Modified: 2026-04-23T15:26:15.493

Link: CVE-2025-27264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')