Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking fat-services-booking allows PHP Local File Inclusion.This issue affects FAT Services Booking: from n/a through <= 5.5.
Published: 2025-05-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Fat Services Booking plugin contains an include or require call that immediately uses a filename derived from user input or configuration without proper validation or sanitization. This flaw allows an attacker to specify an arbitrary path on the server’s filesystem, leading the application to read and execute that file. The weakness is classified as CWE‑98, which describes improper control of a filename used in a file inclusion statement.

Affected Systems

WordPress sites that have the roninwp FAT Services Booking plugin version 5.5 or earlier installed are affected according to the CNA disclosure. Sites using any newer release are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1 % suggests a low probability of exploitation at the time of the report. The vulnerability is not included in the CISA KEV catalog. The most likely attack vector is a web‑based request that manipulates the plugin’s filename parameter or configuration value, but the exact exploitation method is not detailed in the advisory, so this inference is drawn from typical LFI patterns in WordPress plugins.

Generated by OpenCVE AI on May 1, 2026 at 08:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FAT Services Booking plugin to a version that removes the vulnerable include logic, if the vendor releases a fix for versions newer than 5.5.
  • If an update is not available, deactivate or uninstall the plugin to eliminate the risk of local file inclusion.
  • Add defensive controls such as whitelisting allowed filenames, enforcing strict directory restrictions on include paths, and sanitizing any user‑supplied values before passing them to include or require statements.

Generated by OpenCVE AI on May 1, 2026 at 08:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15508 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking allows PHP Local File Inclusion. This issue affects FAT Services Booking: from n/a through 5.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking allows PHP Local File Inclusion. This issue affects FAT Services Booking: from n/a through 5.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking fat-services-booking allows PHP Local File Inclusion.This issue affects FAT Services Booking: from n/a through <= 5.5.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in roninwp FAT Services Booking allows PHP Local File Inclusion. This issue affects FAT Services Booking: from n/a through 5.5.
Title WordPress Fat Services Booking plugin <= 5.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Roninwp Fat Services Booking
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:50.356Z

Reserved: 2025-05-07T10:45:47.046Z

Link: CVE-2025-47693

cve-icon Vulnrichment

Updated: 2025-05-16T16:22:58.544Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:42.950

Modified: 2026-04-23T15:30:45.500

Link: CVE-2025-47693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:45:06Z

Weaknesses