CRITICAL🇵🇱 Wersja polska

CVE-2025-7634

CVSS 9.8v3.1pub. 2025-10-09upd. 2026-04-15

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of the 'mode' parameter in the plugin's AJAX controllers (including FilterTripsHtml and LoadTripsHtml), which is directly used to include PHP files on the server without proper validation or sanitization. An attacker can craft a request pointing to any .php file available on the server, which will then be loaded and executed by the PHP interpreter. In scenarios where it is possible to previously upload a .php file to the server (e.g., through another vulnerability or upload function), this directly leads to remote code execution (RCE).

Impact

An attacker can execute arbitrary PHP code on the server, bypass access control mechanisms, gain access to sensitive data (e.g., configuration data, user data) or take full control of the WordPress application and potentially the entire server.

Mitigation & patch

The WP Travel Engine plugin should be immediately updated to a version higher than 6.6.7, in which the vulnerability has been removed. Patches are available through the official WordPress repository. Until the update is applied, consider disabling the plugin or restricting access to AJAX endpoints at the Web Application Firewall (WAF) level.

Who is affected

WP Travel Engine – Tour Booking Plugin – Tour Operator Software for WordPress in all versions up to and including 6.6.7.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References