Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
Published: 2025-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Travel Engine plugin up to version 6.3.5 contains an improper control of filename for the include/require statement in its PHP code, allowing an attacker to trigger local file inclusion. This can lead to execution of arbitrary PHP code if the attacker can supply a path to a vulnerable file or read sensitive files, which is identified as CWE-98.

Affected Systems

The vulnerability affects installations of the WP Travel Engine WordPress plugin with versions up to and including 6.3.5. Any WordPress site that has not yet upgraded beyond this version is potentially impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, while the EPSS score of less than 1% suggests exploitation likelihood is currently low. As the issue is not listed in the CISA KEV catalog, no known widespread exploitation has been reported yet. The typical attack vector would be through a crafted web request that manipulates the plugin’s filename handling to include a local file.

Generated by OpenCVE AI on May 1, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Travel Engine plugin to the latest available version (greater than 6.3.5).
  • Disable or restrict PHP include and require functions in the server configuration if the plugin cannot be updated immediately.
  • Ensure file permissions on the WordPress installation are set so that only the web server can read necessary files, preventing unauthorized file access.

Generated by OpenCVE AI on May 1, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8326 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Jun 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Wptravelengine
Wptravelengine wp Travel Engine
CPEs cpe:2.3:a:wptravelengine:wp_travel_engine:*:*:*:*:*:wordpress:*:*
Vendors & Products Wptravelengine
Wptravelengine wp Travel Engine

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5.
Title WordPress WP Travel Engine plugin <= 6.3.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wptravelengine Wp Travel Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.559Z

Reserved: 2025-03-26T09:21:08.359Z

Link: CVE-2025-30871

cve-icon Vulnrichment

Updated: 2025-03-27T13:13:22.738Z

cve-icon NVD

Status : Modified

Published: 2025-03-27T11:15:48.243

Modified: 2026-04-23T15:27:13.940

Link: CVE-2025-30871

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:00:06Z

Weaknesses