CVE-2025-47693 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements within PHP programs. Specifically, this vulnerability affects the roninwp FAT Services Booking plugin, versions up to and including 5.5. The flaw allows for PHP Local File Inclusion (LFI), a type of vulnerability where an attacker can trick the application into including files from the local server filesystem. This can lead to arbitrary code execution, information disclosure, and potentially full system compromise depending on the server configuration and the files accessible. The vulnerability arises because the plugin does not properly validate or sanitize user-supplied input that determines which files are included via PHP's include or require statements. The CVSS v3.1 score is 7.5, indicating a high severity with the vector string AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network but requires high attack complexity and low privileges, with no user interaction needed. The impact on confidentiality, integrity, and availability is high, as successful exploitation can lead to disclosure of sensitive files, modification of application behavior, and denial of service or code execution. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability was published on May 16, 2025, and is tracked by Patchstack and CISA enrichment, indicating recognition by authoritative security bodies.

For European organizations using the roninwp FAT Services Booking plugin, this vulnerability poses a significant risk. The ability to perform local file inclusion can allow attackers to access sensitive configuration files, credentials, or other protected data, potentially leading to data breaches. Furthermore, it can enable remote code execution, allowing attackers to take control of affected web servers, disrupt services, or pivot within internal networks. This is particularly critical for organizations in sectors such as hospitality, event management, or service booking platforms that rely on this plugin for customer-facing booking functionalities. Compromise could lead to loss of customer trust, regulatory penalties under GDPR for data breaches, and operational downtime. Given the high confidentiality, integrity, and availability impact, exploitation could severely disrupt business operations and expose sensitive personal data of European citizens.

European organizations should immediately audit their use of the roninwp FAT Services Booking plugin and identify affected versions (up to 5.5). Until an official patch is released, it is recommended to implement strict input validation and sanitization on any parameters controlling file inclusion paths. Web application firewalls (WAFs) should be configured to detect and block suspicious requests attempting to exploit LFI patterns. Restricting PHP include paths and disabling allow_url_include in PHP configurations can reduce risk. Additionally, running the web server with least privilege and isolating the application environment can limit the impact of potential exploitation. Monitoring logs for unusual file access or errors related to include statements can provide early detection. Organizations should subscribe to vendor advisories for prompt patch releases and apply updates as soon as they become available. If feasible, consider temporarily disabling the plugin or replacing it with alternative booking solutions until the vulnerability is resolved.