Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpTravelly tour-booking-manager allows PHP Local File Inclusion.This issue affects WpTravelly: from n/a through <= 1.8.7.
Published: 2025-03-27
Score: 8.8 High
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of a filename used in a PHP include/require statement within WpTravelly’s tour‑booking‑manager plugin. This flaw, classified as CWE‑98, enables the plugin to read or potentially execute files located on the server, which may lead to disclosure of sensitive configuration data or the execution of unintended code. The impact is confined to the web application hosting the plugin, with a high severity due to the possible compromise of configuration and source files.

Affected Systems

WpTravelly tour‑booking‑manager versions up through 1.8.7 are affected. No other vendors or product families are listed; all installations using these releases are impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates a high level of severity, while the EPSS score of 2% indicates a low current likelihood of exploitation. The vulnerability is not present in CISA’s KEV catalog. Likely attack vectors involve web‑accessible paths that accept a file name parameter, which the plugin then passes to an include/require call without validation. Based on the description, it is inferred that an attacker could read arbitrary local files and that, depending on server configuration, executing PHP code through this path might be possible.

Generated by OpenCVE AI on May 12, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WpTravelly to a version newer than 1.8.7, applying any vendor patch that addresses the improper filename validation.
  • If an update cannot be performed immediately, disable or remove the plugin or the specific feature that performs the unsafe include operation.
  • Restrict PHP’s include_path setting to only contain trusted directories and ensure that the web root is not writable by the web process to limit which files can be included.
  • Implement strict input validation or maintain a whitelist of permissible file names when the plugin accepts user input for inclusion, following best practices for CWE‑98.

Generated by OpenCVE AI on May 12, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8318 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpTravelly allows PHP Local File Inclusion. This issue affects WpTravelly: from n/a through 1.8.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpTravelly allows PHP Local File Inclusion. This issue affects WpTravelly: from n/a through 1.8.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpTravelly tour-booking-manager allows PHP Local File Inclusion.This issue affects WpTravelly: from n/a through <= 1.8.7.
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 27 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpTravelly allows PHP Local File Inclusion. This issue affects WpTravelly: from n/a through 1.8.7.
Title WordPress WpTravelly Plugin <= 1.8.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.695Z

Reserved: 2025-03-26T09:21:23.220Z

Link: CVE-2025-30891

cve-icon Vulnrichment

Updated: 2025-03-27T15:52:06.721Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:50.057

Modified: 2026-04-23T15:27:16.483

Link: CVE-2025-30891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T14:45:17Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')