CVE-2025-67963
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-29
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ovatheme | movie_booking | to 1.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67963 is a high-priority vulnerability in the WordPress Movie Booking Plugin versions up to 1.1.5 that allows unauthenticated attackers to perform arbitrary file deletion on the affected website. This happens due to broken access control, specifically an improper limitation of a pathname to a restricted directory (path traversal), enabling attackers to delete critical core files and potentially break the website. [1]
How can this vulnerability impact me? :
This vulnerability can have a severe impact by allowing attackers to delete important files on your website without authentication. This can cause the website to malfunction or completely stop working, leading to downtime, loss of data, and potentially costly recovery efforts. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should immediately update the WordPress Movie Booking Plugin to version 1.1.6 or later, where the issue is fixed. Additionally, you can apply Patchstack's provided mitigation rules to block attacks targeting this vulnerability until you update. Patchstack also offers automatic mitigation and auto-update options for rapid protection. [1]