CVE-2025-53259: 
WordPress vulnerability analysis and mitigation

CVE-2025-53259 is a Local File Inclusion vulnerability discovered in the WordPress Hotel Booking plugin (nicdark Hotel Booking). The vulnerability affects versions up to 3.7 of the plugin and was disclosed on June 27, 2025. This security issue is classified as an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability (NVD, Patchstack).

The vulnerability is categorized as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) and has been assigned a CVSS v3.1 base score of 7.5 (High). The attack vector is network-accessible (AV:N), with high attack complexity (AC:H), requiring low privileges (PR:L), no user interaction (UI:N), and affecting a single scope (S:U). The impact includes high confidentiality, integrity, and availability effects (C:H/I:H/A:H) (NVD, Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents on the screen. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to a complete database takeover depending on the configuration (Patchstack).

The vulnerability has been fixed in version 3.8 of the WordPress Hotel Booking plugin. Users are advised to update to version 3.8 or later to remove the vulnerability. For sites using Patchstack, users can enable auto-update for vulnerable plugins (Patchstack).