CVE-2025-64287 is a vulnerability classified as improper control of filename for include/require statements in the PHP program within the Edge-Themes Alloggio - Hotel Booking product. This vulnerability allows for Remote File Inclusion (RFI) or Local File Inclusion (LFI), where an attacker can manipulate the filename parameter used in PHP's include or require functions to load arbitrary files. The affected versions include all releases up to and including version 1.8. The root cause is insufficient validation or sanitization of user-supplied input that controls the file path, enabling attackers to specify remote URLs or local file paths. Successful exploitation can lead to execution of malicious PHP code, disclosure of sensitive files, or complete takeover of the web server hosting the application. Although no known exploits have been reported in the wild, the vulnerability is publicly disclosed and poses a significant risk due to the common use of PHP and the popularity of the Alloggio theme in hotel booking websites. The vulnerability was reserved and published in late 2025, but no official patch or CVSS score is currently available. The lack of a patch increases the urgency for organizations to implement interim mitigations.

For European organizations, especially those in the hospitality and tourism sectors using the Alloggio theme or similar PHP-based booking platforms, this vulnerability presents a substantial risk. Exploitation could lead to unauthorized remote code execution, allowing attackers to deface websites, steal customer data including personal and payment information, or use compromised servers as a foothold for further attacks within the network. This can result in reputational damage, regulatory penalties under GDPR for data breaches, and operational disruptions. Given the critical nature of online booking systems for revenue generation, downtime or data compromise could have severe financial consequences. Additionally, the vulnerability could be leveraged to distribute malware or ransomware, amplifying the impact. The absence of known exploits currently provides a window for proactive defense, but the public disclosure increases the likelihood of future exploitation attempts.

Immediate mitigation steps include disabling allow_url_include in the PHP configuration to prevent remote file inclusion. Organizations should audit and sanitize all user inputs that influence file inclusion paths, implementing strict whitelisting of allowable files. Employing web application firewalls (WAFs) with rules targeting RFI/LFI patterns can help detect and block exploitation attempts. Until an official patch is released by Edge-Themes, consider isolating the affected application in a segmented network zone with limited privileges. Regularly monitor logs for suspicious requests containing directory traversal or URL parameters in include statements. If possible, replace or upgrade the Alloggio theme to a version confirmed to be free of this vulnerability. Conduct penetration testing focused on file inclusion vectors to validate the effectiveness of mitigations. Finally, maintain up-to-date backups and incident response plans to minimize damage in case of compromise.