Platform
wordpress
Component
movie-booking
Fixed in
1.1.6
CVE-2025-67963 describes an Arbitrary File Access vulnerability within the Ovatheme Movie Booking WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths, leading to sensitive data exposure. Versions 0.0.0 through 1.1.5 are affected, and a patch is available in version 1.1.6.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files outside of the intended directory. This could expose sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance. The impact is particularly severe if the server hosts other sensitive applications or data. While the description doesn't specify a direct remote code execution path, the ability to read arbitrary files could be a stepping stone to further exploitation, depending on the server's configuration and the contents of the accessible files.
CVE-2025-67963 was publicly disclosed on 2026-01-22. There is no indication of active exploitation campaigns or KEV listing at the time of writing. Public proof-of-concept exploits are not currently available, but the path traversal nature of the vulnerability makes it likely that one will emerge. The EPSS score is likely to be medium, given the relatively straightforward nature of path traversal exploits.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Ovatheme Movie Booking plugin to version 1.1.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress server to minimize the potential damage from a successful exploit. Regularly review WordPress plugin installations and ensure they are from trusted sources. After upgrade, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Update to version 1.1.6, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-67963 is a vulnerability in Ovatheme Movie Booking allowing attackers to read arbitrary files on the server. It has a HIGH severity rating (CVSS: 8.6) and affects versions 0.0.0 through 1.1.5.
You are affected if your WordPress site uses the Ovatheme Movie Booking plugin and is running version 0.0.0 through 1.1.5. Check your plugin versions immediately.
Upgrade the Ovatheme Movie Booking plugin to version 1.1.6 or later. If immediate upgrade is not possible, implement WAF rules to block path traversal attempts.
There is currently no confirmed active exploitation of CVE-2025-67963, but the vulnerability's nature makes it likely that exploits will emerge.
Refer to the official Ovatheme Movie Booking plugin documentation and WordPress security announcements for the latest advisory regarding CVE-2025-67963.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.