Introduction
Attackers can achieve remote code execution on WordPress sites running WP Travel Engine by exploiting a local file inclusion flaw in the plugin's AJAX endpoints. This vulnerability is accessible without authentication and affects all plugin versions up to and including 6.6.7, putting over 20,000 travel and tour operator websites at risk of compromise.
WP Travel Engine is a leading WordPress plugin for travel agencies and tour operators, powering booking and itinerary management for a significant portion of the online tourism sector. Its broad adoption and integration with sensitive customer data make vulnerabilities in this plugin especially impactful for both site owners and their clients.
Technical Information
CVE-2025-7634 is a local file inclusion vulnerability in the WP Travel Engine plugin for WordPress. The flaw is present in the handling of the mode
parameter by AJAX endpoints, specifically in the following controller files:
includes/classes/Core/Controllers/Ajax/FilterTripsHtml.php
at line 72includes/classes/Core/Controllers/Ajax/LoadTripsHtml.php
at line 27
The vulnerability arises because user input from the mode
parameter is used directly to determine which file to include, without sufficient validation or sanitization. This allows an attacker to specify arbitrary file paths, leading to the inclusion and execution of any PHP file accessible to the web server. If attackers are able to upload a PHP file to the server through another vector, they can use this flaw to execute their code and take full control of the affected site.
The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The attack does not require authentication, making it exploitable at scale via automated tools. Exploitation can result in bypassing access controls, disclosure of sensitive information, and remote code execution.
References to the vulnerable code are available in public repositories:
Affected Systems and Versions
- Product: WP Travel Engine WordPress plugin
- Affected versions: All versions up to and including 6.6.7
- Only WordPress sites with this plugin enabled are vulnerable
Vendor Security History
WP Travel Engine has experienced multiple critical vulnerabilities in recent versions:
- CVE-2025-5282: Missing authorization in delete package functionality (up to 6.5.1)
- Previous local file inclusion issues in older versions
- Security disclosures have primarily come from external researchers such as Wordfence and Patchstack
- Vendor provides updates but changelog transparency is limited