WP Travel Engine CVE-2025-7634: Local File Inclusion Vulnerability Brief Summary

This post provides a brief summary of CVE-2025-7634, a critical local file inclusion vulnerability affecting all versions up to and including 6.6.7 of the WP Travel Engine WordPress plugin. The summary focuses on technical details, affected versions, and vendor security history, with references to public advisories and research.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-08

WP Travel Engine CVE-2025-7634: Local File Inclusion Vulnerability Brief Summary
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can achieve remote code execution on WordPress sites running WP Travel Engine by exploiting a local file inclusion flaw in the plugin's AJAX endpoints. This vulnerability is accessible without authentication and affects all plugin versions up to and including 6.6.7, putting over 20,000 travel and tour operator websites at risk of compromise.

WP Travel Engine is a leading WordPress plugin for travel agencies and tour operators, powering booking and itinerary management for a significant portion of the online tourism sector. Its broad adoption and integration with sensitive customer data make vulnerabilities in this plugin especially impactful for both site owners and their clients.

Technical Information

CVE-2025-7634 is a local file inclusion vulnerability in the WP Travel Engine plugin for WordPress. The flaw is present in the handling of the mode parameter by AJAX endpoints, specifically in the following controller files:

  • includes/classes/Core/Controllers/Ajax/FilterTripsHtml.php at line 72
  • includes/classes/Core/Controllers/Ajax/LoadTripsHtml.php at line 27

The vulnerability arises because user input from the mode parameter is used directly to determine which file to include, without sufficient validation or sanitization. This allows an attacker to specify arbitrary file paths, leading to the inclusion and execution of any PHP file accessible to the web server. If attackers are able to upload a PHP file to the server through another vector, they can use this flaw to execute their code and take full control of the affected site.

The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The attack does not require authentication, making it exploitable at scale via automated tools. Exploitation can result in bypassing access controls, disclosure of sensitive information, and remote code execution.

References to the vulnerable code are available in public repositories:

Affected Systems and Versions

  • Product: WP Travel Engine WordPress plugin
  • Affected versions: All versions up to and including 6.6.7
  • Only WordPress sites with this plugin enabled are vulnerable

Vendor Security History

WP Travel Engine has experienced multiple critical vulnerabilities in recent versions:

  • CVE-2025-5282: Missing authorization in delete package functionality (up to 6.5.1)
  • Previous local file inclusion issues in older versions
  • Security disclosures have primarily come from external researchers such as Wordfence and Patchstack
  • Vendor provides updates but changelog transparency is limited

References

Detect & fix
what others miss