CVE-2025-27011 is a Local File Inclusion (LFI) vulnerability found in the magepeopleteam Booking and Rental Manager plugin for WooCommerce, affecting versions up to 2.2.8. The vulnerability arises from improper control of the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the server. This can lead to disclosure of sensitive files such as configuration files, source code, or credentials, and in some cases, may enable remote code execution if the attacker can include files containing malicious code. The vulnerability is categorized as a PHP Remote File Inclusion type but is specifically a Local File Inclusion issue, meaning the attacker can include files present on the server rather than remote files. No CVSS score has been assigned yet, and there are no known exploits in the wild as of the publication date. The vulnerability affects the Booking and Rental Manager plugin used in WooCommerce-based e-commerce sites, which manage booking and rental services. The flaw stems from insufficient validation or sanitization of user-supplied input controlling the file path in include/require statements, violating secure coding practices. This vulnerability can be exploited remotely without authentication if the affected endpoint is exposed, making it a significant risk for websites using this plugin. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate attention from administrators. The issue was reserved in February 2025 and published in April 2025 by Patchstack, highlighting its recent discovery.

The impact of CVE-2025-27011 on organizations worldwide can be substantial, particularly for those relying on the magepeopleteam Booking and Rental Manager plugin in their WooCommerce e-commerce platforms. Successful exploitation allows attackers to read arbitrary files on the server, potentially exposing sensitive information such as database credentials, API keys, or user data, which can lead to further compromise. In some scenarios, attackers might leverage this vulnerability to execute arbitrary code if they can upload or control files on the server, leading to full system compromise. This threatens confidentiality, integrity, and potentially availability if attackers disrupt services or deploy ransomware. The vulnerability can undermine customer trust and result in regulatory penalties if personal data is exposed. Since WooCommerce is widely used globally, the scope of affected systems is broad, especially among small to medium-sized businesses that may not have robust security monitoring. The absence of authentication requirements for exploitation increases the risk, as attackers can target vulnerable sites directly. The lack of known exploits currently reduces immediate risk but does not diminish the urgency for remediation, as public disclosure may prompt attackers to develop exploits rapidly.

To mitigate CVE-2025-27011, organizations should immediately audit their WooCommerce installations to identify if the magepeopleteam Booking and Rental Manager plugin is in use and determine the version. If affected (version 2.2.8 or earlier), administrators should monitor vendor channels closely for official patches and apply them promptly once released. In the interim, restrict access to the vulnerable plugin's endpoints using web application firewalls (WAFs) or IP whitelisting to limit exposure. Implement strict input validation and sanitization on all user-supplied parameters controlling file paths, ensuring only expected filenames or whitelisted paths are accepted. Disable PHP functions that allow file inclusion if not necessary, such as allow_url_include, and configure PHP open_basedir restrictions to limit accessible directories. Conduct regular security assessments and code reviews of custom plugins or extensions to detect similar vulnerabilities. Additionally, maintain comprehensive backups and incident response plans to quickly recover from potential exploitation. Educate developers and administrators on secure coding practices related to file inclusion to prevent recurrence.