Description
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-10-09
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediate
AI Analysis

Impact

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion through the mode parameter that can be supplied without authentication. An attacker can force the plugin to include arbitrary PHP files, leading to the execution of any PHP code present in those files. This can bypass access controls, expose sensitive data, and grant the attacker full control of the affected WordPress site.

Affected Systems

WordPress installations that have the WP Travel Engine – Tour Booking Plugin – Tour Operator Software package installed in versions 6.6.7 or earlier are affected. Any site that has deployed these versions of the plugin is vulnerable.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity; however, the EPSS score is below 1%, suggesting a low but nonzero likelihood of exploitation. The vulnerability is not listed in CISA KEV. Attackers can exploit the flaw by sending crafted requests to the plugin’s Ajax endpoints that expose the mode parameter, which is unauthenticated. If the attacker can place PHP files in a writable directory, inclusion will permit arbitrary code execution.

Generated by OpenCVE AI on April 20, 2026 at 21:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 6.6.8 or later, which removes the vulnerable mode parameter handling.
  • If an update is delayed, disable or sanitize the mode parameter in the Ajax handlers to prevent inclusion of arbitrary files.
  • Configure the web server and file system to disallow execution of PHP files in upload directories and enforce strict permissions on any directories that can be targeted by the inclusion.

Generated by OpenCVE AI on April 20, 2026 at 21:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wptravelengine
Wptravelengine wp Travel Engine
Vendors & Products Wordpress
Wordpress wordpress
Wptravelengine
Wptravelengine wp Travel Engine

Thu, 09 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Unauthenticated Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wptravelengine Wp Travel Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:19.690Z

Reserved: 2025-07-14T12:23:29.209Z

Link: CVE-2025-7634

cve-icon Vulnrichment

Updated: 2025-10-09T15:50:49.385Z

cve-icon NVD

Status : Deferred

Published: 2025-10-09T06:15:36.710

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses