CVE-2025-64377 is a Remote File Inclusion (RFI) vulnerability found in the ListingPro plugin developed by CridioStudio, affecting versions prior to 2.9.10. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements. Specifically, ListingPro fails to adequately sanitize user-supplied input that determines which files are included during runtime. This flaw allows an attacker to supply a crafted filename pointing to a remote malicious PHP file, which the server then includes and executes. The consequence is remote code execution (RCE) without requiring authentication or user interaction. The CVSS 3.1 base score of 8.1 reflects the network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the vulnerability's nature makes it a critical risk for web servers running vulnerable ListingPro versions. Attackers could leverage this to deploy web shells, steal sensitive data, deface websites, or disrupt services. The vulnerability was reserved in late October 2025 and published in mid-December 2025, indicating recent discovery and disclosure. The lack of patch links suggests that users must verify updates directly from CridioStudio or trusted plugin repositories. This vulnerability is particularly relevant for organizations using ListingPro on WordPress or similar PHP-based CMS platforms.

For European organizations, the impact of CVE-2025-64377 can be severe. ListingPro is a popular directory and listing plugin, often used by businesses, municipalities, and service providers to manage online listings. Exploitation could lead to full compromise of web servers, resulting in data breaches involving personal or business information, defacement of public-facing websites, and disruption of critical online services. Confidentiality is at high risk as attackers can execute arbitrary code and potentially access databases or configuration files. Integrity is compromised by the possibility of unauthorized content modification or malware injection. Availability may be affected if attackers deploy ransomware or conduct denial-of-service attacks via the compromised server. Given the plugin's usage in sectors like tourism, local government, and commerce, the fallout could extend to reputational damage and regulatory penalties under GDPR if personal data is exposed. The high attack complexity somewhat reduces immediate risk but does not eliminate it, especially as attackers develop automated tools. Organizations relying on ListingPro should consider this vulnerability a priority for remediation to prevent potential exploitation.

1. Immediately update ListingPro to version 2.9.10 or later, where this vulnerability is patched. 2. If an update is not immediately possible, implement web application firewall (WAF) rules to block suspicious requests attempting to manipulate include parameters. 3. Restrict PHP include paths using open_basedir and disable allow_url_include in PHP configurations to prevent remote file inclusion. 4. Conduct a thorough audit of all web-facing servers running ListingPro to identify vulnerable versions. 5. Monitor web server logs for unusual requests targeting file inclusion parameters. 6. Employ runtime application self-protection (RASP) tools to detect and block exploitation attempts. 7. Educate development and IT teams about secure coding practices, especially input validation for file operations. 8. Regularly back up website data and configurations to enable rapid recovery in case of compromise. 9. Review and tighten user permissions on web servers to limit the impact of potential breaches. 10. Coordinate with CridioStudio support channels for official patches and security advisories.