Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Uxper Booking uxper-booking allows PHP Local File Inclusion.This issue affects Uxper Booking: from n/a through <= 1.3.3.
Published: 2025-08-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Uxper Booking plugin has an improper control of filenames used in PHP include and require statements, permitting local file inclusion. An attacker who can influence the filename path may read arbitrary files from the server, potentially exposing configuration data, credentials, or other sensitive information. The weakness is classified as CWE‑98, and the impact is confidentiality leakage rather than code execution in the information provided.

Affected Systems

WordPress sites using the Uxper Booking plugin version 1.3.3 or earlier are affected. The issue applies to all releases from the earliest available version up to and including 1.3.3.

Risk and Exploitability

The CVSS score of 8.1 flags this as a high‑severity vulnerability. The EPSS score is less than 1%, indicating a very low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack vector is local file inclusion, usually triggered via unsanitized input controlling the filename; if the plugin allows input from an external user, a remote attacker might prepare a request to trigger the inclusion. Exploitation would generally require the attacker to be able to dictate the path or to access a file that can be traversed. Given the high CVSS score, any successful exploitation would allow an attacker to read sensitive data and compromise the confidentiality of the affected site.

Generated by OpenCVE AI on April 30, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Uxper Booking plugin version 1.3.4 or later which removes the vulnerable include handler
  • If an immediate update is not feasible, restrict file system permissions to limit the plugin’s access to the web root and remove the include capability via configuration or by disabling the affected feature
  • Implement a web application firewall rule to block requests containing suspicious path traversal patterns such as "../" or absolute paths in parameters that interact with the plugin

Generated by OpenCVE AI on April 30, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25363 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in badasswp Pending Order Bot allows Stored XSS. This issue affects Pending Order Bot: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in badasswp Pending Order Bot allows Stored XSS. This issue affects Pending Order Bot: from n/a through 1.0.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Uxper Booking uxper-booking allows PHP Local File Inclusion.This issue affects Uxper Booking: from n/a through <= 1.3.3.
Title WordPress Pending Order Bot plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability WordPress Uxper Booking Plugin <= 1.3.3 - Local File Inclusion Vulnerability
Weaknesses CWE-79 CWE-98
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in badasswp Pending Order Bot allows Stored XSS. This issue affects Pending Order Bot: from n/a through 1.0.2.
Title WordPress Pending Order Bot plugin <= 1.0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:07.266Z

Reserved: 2025-06-11T16:06:23.852Z

Link: CVE-2025-49892

cve-icon Vulnrichment

Updated: 2025-08-20T17:51:48.196Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:38.647

Modified: 2026-04-23T15:31:47.787

Link: CVE-2025-49892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:30:06Z

Weaknesses