CVE-2025-64287 is a vulnerability classified as improper control of filename for include/require statements in the PHP-based Edge-Themes Alloggio - Hotel Booking system. This vulnerability enables remote file inclusion (RFI), a critical security flaw where an attacker can manipulate the filename parameter used in PHP's include or require functions to load arbitrary files, potentially from remote locations. The vulnerability affects all versions up to and including 1.8. The CVSS 3.1 base score of 8.1 reflects a high severity, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope change (S:C), and high impact on confidentiality and integrity (C:H/I:H), with low impact on availability (A:L). Exploitation requires an attacker to have some level of authenticated access and to trick a user into interaction, but can lead to execution of arbitrary PHP code, data exfiltration, or system compromise. The vulnerability arises from insufficient validation or sanitization of user-controlled input used in file inclusion functions, allowing attackers to specify malicious files. Although no public exploits are reported yet, the nature of RFI vulnerabilities makes this a critical concern for affected deployments. The vulnerability is particularly dangerous in web-facing applications like hotel booking systems, where attackers can leverage it to compromise customer data or disrupt services.

For European organizations, especially those in the hospitality sector using the Alloggio booking system, this vulnerability poses a significant risk to data confidentiality and integrity. Attackers exploiting this flaw could execute arbitrary code on the web server, leading to theft of sensitive customer data such as personal identification and payment information, defacement of websites, or pivoting to internal networks. The impact on availability is lower but could still occur through system instability or targeted disruption. Given the hospitality industry's importance in Europe, breaches could lead to regulatory penalties under GDPR, reputational damage, and financial losses. The requirement for some privileges and user interaction reduces the attack surface but does not eliminate risk, especially in environments with multiple users or weak access controls. The vulnerability could also be leveraged in supply chain attacks if attackers compromise the booking system to distribute malware to clients or partners.

Organizations should immediately audit their use of the Alloggio - Hotel Booking system and identify affected versions (up to 1.8). Until a vendor patch is released, apply the following mitigations: 1) Disable allow_url_include and allow_url_fopen in PHP configurations to prevent remote file inclusion. 2) Implement strict input validation and sanitization on all user inputs that influence file inclusion, using whitelisting of allowed filenames or paths. 3) Restrict file inclusion to fixed directories using realpath checks and avoid dynamic file paths based on user input. 4) Limit the privileges of the web server user to reduce impact of potential code execution. 5) Monitor web server logs and application behavior for unusual file access or inclusion attempts. 6) Employ Web Application Firewalls (WAFs) with rules to detect and block RFI attempts. 7) Educate users about phishing or social engineering risks that could facilitate user interaction required for exploitation. 8) Once available, promptly apply official patches from Edge-Themes. 9) Conduct regular security assessments and code reviews focusing on file inclusion logic.