CVE-2025-30871 Overview
CVE-2025-30871 is a Local File Inclusion (LFI) vulnerability affecting the WP Travel Engine WordPress plugin. The flaw stems from improper control of filename parameters used in PHP include or require statements, classified under [CWE-98]. Authenticated attackers with low-privilege access can manipulate file path parameters to include arbitrary local PHP files on the server. The vulnerability affects all versions of WP Travel Engine up to and including 6.3.5. Successful exploitation can lead to source code disclosure, sensitive configuration exposure, and potential arbitrary code execution when combined with file upload primitives.
Critical Impact
Authenticated attackers can include arbitrary PHP files on the server, leading to information disclosure and potential remote code execution on affected WordPress installations.
Affected Products
- WP Travel Engine plugin for WordPress versions through 6.3.5
- WordPress sites with the WP Travel Engine plugin installed and activated
- Any hosting environment running vulnerable WP Travel Engine deployments
Discovery Timeline
- 2025-03-27 - CVE-2025-30871 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-30871
Vulnerability Analysis
The WP Travel Engine plugin contains a Local File Inclusion vulnerability classified as [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program). The plugin passes user-controlled input into PHP file inclusion functions without sufficient validation or sanitization. Attackers authenticated with low-privilege accounts can supply crafted file path values to load arbitrary PHP files present on the server filesystem.
When the affected code reaches the include or require statement, PHP resolves the attacker-supplied path and executes the file as PHP code. This allows reading sensitive files such as wp-config.php, exposing database credentials and authentication keys. If an attacker can place PHP content into any readable location on the host, such as uploads directories or log files, the LFI can escalate to remote code execution.
Root Cause
The root cause is the absence of an allow-list or strict validation on filename parameters used by the plugin's include logic. User input flows from a request parameter directly to a PHP file inclusion function without normalization, extension filtering, or path containment checks against a fixed base directory.
Attack Vector
Exploitation requires network access to the WordPress site and an authenticated session with at least low-level privileges. The attacker submits a crafted HTTP request containing a manipulated filename parameter that targets a sensitive PHP file or attacker-controlled content already present on the server. Refer to the Patchstack WP Travel Engine Vulnerability advisory for additional technical context.
Detection Methods for CVE-2025-30871
Indicators of Compromise
- HTTP requests to WP Travel Engine endpoints containing path traversal sequences such as ../ or absolute paths like /etc/passwd and wp-config.php
- Unexpected PHP file inclusion patterns in web server access logs targeting plugin parameters
- New or modified PHP files in WordPress uploads directories following authenticated user activity
- Outbound connections initiated by the PHP worker process to unexpected hosts after suspicious include operations
Detection Strategies
- Inspect web server and WordPress logs for requests to WP Travel Engine routes containing suspicious filename or path parameters
- Deploy WordPress security plugins or web application firewall (WAF) rules that flag LFI payload patterns against plugin endpoints
- Monitor PHP error_log entries that reference failed include or require operations with unusual file paths
- Correlate authenticated subscriber or customer account activity with file inclusion request patterns
Monitoring Recommendations
- Enable verbose logging on the WordPress instance and forward access logs to a centralized log analytics platform
- Alert on read access to wp-config.php and other sensitive files outside expected administrative workflows
- Track plugin version inventory across managed WordPress sites to identify hosts still running version 6.3.5 or earlier
How to Mitigate CVE-2025-30871
Immediate Actions Required
- Update WP Travel Engine to a version later than 6.3.5 as soon as a fixed release is available from the vendor
- Audit all WordPress user accounts and revoke unnecessary low-privilege accounts that could be abused for authenticated exploitation
- Review web server access logs for the past several months to identify potential prior exploitation attempts
- Rotate WordPress secrets, database credentials, and API keys if evidence of wp-config.php disclosure is found
Patch Information
Consult the Patchstack WP Travel Engine Vulnerability advisory for the latest fixed version information. Site administrators should apply the vendor patch through the WordPress plugin update mechanism once available.
Workarounds
- Temporarily deactivate the WP Travel Engine plugin until a patched version is installed
- Deploy a web application firewall rule blocking path traversal sequences and absolute paths in plugin request parameters
- Restrict file system permissions on the PHP worker process to limit readable files outside the WordPress webroot
- Disable PHP execution in WordPress uploads directories using web server configuration to limit LFI-to-RCE escalation
# Example nginx configuration to block PHP execution in uploads
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
