CVE-2025-64377 is a vulnerability classified as Remote File Inclusion (RFI) in the ListingPro plugin developed by CridioStudio, which is a PHP-based directory and listing management tool commonly used in WordPress environments. The root cause is improper control over the filename parameter used in PHP's include or require statements, which allows an attacker to manipulate the input to include arbitrary files. This can lead to Local File Inclusion (LFI) or Remote File Inclusion (RFI), depending on the server configuration and input sanitization. An attacker exploiting this vulnerability can execute arbitrary PHP code by including malicious files hosted remotely or locally, potentially leading to full system compromise, data theft, or defacement. The vulnerability affects all versions of ListingPro prior to 2.9.10. No CVSS score has been assigned yet, and no public exploits have been reported. The vulnerability was reserved on October 31, 2025, and published on December 18, 2025. The lack of patch links suggests that a fix may be pending or recently released. The vulnerability is critical in nature due to the direct impact on confidentiality, integrity, and availability of affected systems, and the ease with which an unauthenticated attacker can exploit it remotely.

For European organizations, the impact of this vulnerability can be severe, especially for those relying on ListingPro for their public-facing websites or directory services. Exploitation could allow attackers to execute arbitrary code on web servers, leading to unauthorized access to sensitive data, defacement of websites, or use of compromised servers as pivot points for further attacks within the network. This could result in data breaches involving personal data protected under GDPR, leading to regulatory penalties and reputational damage. Additionally, service disruption could affect business continuity and customer trust. Organizations in sectors such as e-commerce, tourism, and local business directories, which commonly use ListingPro, are particularly at risk. The absence of known exploits in the wild provides a window for proactive mitigation, but the potential impact remains high given the nature of the vulnerability.

1. Immediately upgrade ListingPro to version 2.9.10 or later once the patch is officially released by CridioStudio. 2. Until a patch is applied, implement web application firewall (WAF) rules to detect and block suspicious include/require requests or attempts to inject remote file paths. 3. Review and harden PHP configuration settings, such as disabling allow_url_include and allow_url_fopen directives to prevent remote file inclusion. 4. Implement strict input validation and sanitization on all parameters that influence file inclusion, ensuring only expected and safe filenames are accepted. 5. Restrict file inclusion paths using PHP's open_basedir directive to limit accessible directories. 6. Conduct thorough code reviews and penetration testing focused on file inclusion vectors. 7. Monitor web server logs for unusual requests or errors related to file inclusion attempts. 8. Educate developers and administrators about secure coding practices to prevent similar vulnerabilities in the future.