Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a through <= 1.8.
Published: 2025-11-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Alloggio – Hotel Booking WordPress theme contains unsanitized handling of filenames used in PHP include/require statements. This flaw permits an attacker to influence the path that is included, enabling Local File Inclusion. Based on the description, the vulnerability could potentially allow the reading of arbitrary files or the execution of PHP code residing within the WordPress installation. The weakness is categorized as CWE‑98.

Affected Systems

The vulnerability affects all releases of the Edge‑Themes Alloggio – Hotel Booking theme up to and including version 1.8. Any WordPress site that installs the theme at these or earlier versions is susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity, while the EPSS score of under 1 % suggests a low current likelihood of exploitation. The issue is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker could supply a crafted request that points to a malicious file path from a normal user context, potentially leading to information disclosure or remote code execution.

Generated by OpenCVE AI on April 30, 2026 at 05:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Edge‑Themes Alloggio – Hotel Booking theme to the latest release that removes the LFI flaw.
  • If an update is not feasible, modify the theme’s code to enforce a strict whitelist for any include/require operation.
  • As a temporary safeguard, configure the web server or add an .htaccess rule to deny direct access to the theme directory, thereby blocking arbitrary file inclusion.

Generated by OpenCVE AI on April 30, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Edge-themes
Edge-themes alloggio Hotel Booking
Wordpress
Wordpress wordpress
Vendors & Products Edge-themes
Edge-themes alloggio Hotel Booking
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Alloggio - Hotel Booking alloggio allows PHP Local File Inclusion.This issue affects Alloggio - Hotel Booking: from n/a through <= 1.8.
Title WordPress Alloggio - Hotel Booking Theme theme <= 1.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Edge-themes Alloggio Hotel Booking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:13.443Z

Reserved: 2025-10-29T03:29:08.850Z

Link: CVE-2025-64287

cve-icon Vulnrichment

Updated: 2025-11-06T16:27:23.315Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:14.493

Modified: 2026-04-27T16:16:40.043

Link: CVE-2025-64287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses