Description
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Published: 2025-03-15
Score: 9.8 Critical
EPSS: 1.1% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Traveler WordPress theme is vulnerable in versions up to 3.1.8 to a Local File Inclusion flaw triggered by the 'style' parameter in the hotel_alone_load_more_post function. An unauthenticated attacker can cause the theme to include and execute arbitrary files on the server, enabling them to run any PHP code. This can lead to bypassing access controls, exfiltrating sensitive data, or establishing persistent remote code execution if PHP files can be uploaded or accessed locally.

Affected Systems

All installations of the ShineTheme Travel Booking WordPress Theme running a version 3.1.8 or earlier are impacted. The vulnerability applies to the function available publicly via the WordPress site.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of 1% shows that exploitation is likely given the high impact. The exploit does not currently appear in the CISA KEV catalog. Attackers can trigger the flaw through a simple unauthenticated web request to the vulnerable function, so the attack vector is remote network access to the affected site.

Generated by OpenCVE AI on April 20, 2026 at 23:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Traveler theme to the latest available version (3.1.9 or newer) immediately.
  • If an update cannot be applied, disable or remove the hotel_alone_load_more_post function and the 'style' parameter from public access.
  • Configure the web server or a WAF to block or sanitize the style parameter from containing path traversal sequences and ensure only safe, non-php file types are uploaded or included.

Generated by OpenCVE AI on April 20, 2026 at 23:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6630 The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00391}

 epss

{'score': 0.00485}

Fri, 28 Mar 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Shinecommerce
Shinecommerce traveler
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:shinecommerce:traveler:*:*:*:*:*:wordpress:*:*
Vendors & Products Shinecommerce
Shinecommerce traveler

Mon, 17 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 15 Mar 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Title Traveler <= 3.1.8 - Unauthenticated Local File Inclusion via hotel_alone_load_more_post
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Shinecommerce Traveler
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:27:18.456Z

Reserved: 2025-02-28T05:52:16.720Z

Link: CVE-2025-1771

cve-icon Vulnrichment

Updated: 2025-03-17T16:54:32.478Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-15T05:15:47.253

Modified: 2025-03-28T15:05:47.470

Link: CVE-2025-1771

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses