Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
Published: 2025-04-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper control of the filename used in a PHP include/require statement allows the WP Travel Engine plugin to include local files. An attacker who can influence the include path could read sensitive files present on the server or, in the worst case, execute arbitrary PHP code if the include target is a writable file. This vulnerability can lead to disclosure of confidential data or compromise of the host.

Affected Systems

WP Travel Engine plugin for WordPress, version 6.3.5 or earlier. All installations of the plugin up through 6.3.5 are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, but the EPSS score is below 1%, implying a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. An attacker could potentially trigger the flaw through a remote web request that manipulates the plugin’s include path, suggesting a remote attack vector. The ability to read or execute local files poses a significant threat to confidentiality and integrity of the affected system.

Generated by OpenCVE AI on May 1, 2026 at 02:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Travel Engine to the latest version, 6.3.6 or newer, which removes the vulnerability.
  • If an upgrade is not immediately possible, disable or delete the plugin until a patch is applied to prevent the LFI from being used.
  • Ensure that PHP’s allow_url_include is disabled and that the web server’s file permissions restrict the plugin from accessing sensitive files outside the expected directories.

Generated by OpenCVE AI on May 1, 2026 at 02:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9086 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 27 May 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Wptravelengine
Wptravelengine wp Travel Engine
Weaknesses CWE-706
CPEs cpe:2.3:a:wptravelengine:wp_travel_engine:*:*:*:*:*:wordpress:*:*
Vendors & Products Wptravelengine
Wptravelengine wp Travel Engine

Tue, 01 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5.
Title WordPress WP Travel Engine plugin <= 6.3.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wptravelengine Wp Travel Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.308Z

Reserved: 2025-03-26T09:21:08.359Z

Link: CVE-2025-30870

cve-icon Vulnrichment

Updated: 2025-04-01T15:57:14.953Z

cve-icon NVD

Status : Modified

Published: 2025-04-01T06:15:53.407

Modified: 2026-04-23T15:27:13.810

Link: CVE-2025-30870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:45:06Z

Weaknesses