CVE-2025-47693: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-47693) was discovered in roninwp FAT Services Booking WordPress plugin affecting versions through 5.5. The vulnerability was disclosed on May 16, 2025, and was identified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability. The issue is classified as CWE-98 and received a CVSS v3.1 base score of 7.5 (High) (Wiz, NVD).

The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires low privileges and no user interaction but has high attack complexity (Patchstack).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Sensitive files containing credentials, such as database configuration files, could potentially be exposed, leading to complete database compromise depending on the system configuration (Patchstack).

Currently, there is no official fix available for this vulnerability. The issue affects FAT Services Booking plugin versions up to and including 5.5 (Wiz).