CVE-2025-49308: WP Travel Engine LFI Vulnerability

CVE-2025-49308 Overview

CVE-2025-49308 is a Local File Inclusion (LFI) vulnerability in the WP Travel Engine WordPress plugin. The flaw stems from improper control of filenames used in PHP include or require statements [CWE-98]. Authenticated attackers with low privileges can include arbitrary local files on the server through crafted requests. This issue affects WP Travel Engine versions up to and including 6.5.1. Successful exploitation leads to disclosure of sensitive files, execution of attacker-controlled PHP files already on disk, and potential full site compromise.

Critical Impact
Authenticated attackers can include arbitrary PHP files from the WordPress server, leading to information disclosure, code execution, and complete site takeover.

Affected Products

WP Travel Engine plugin for WordPress, versions up to and including 6.5.1
WordPress sites using vulnerable WP Travel Engine installations
Hosting environments allowing PHP file inclusion through user input

Discovery Timeline

2025-06-06 - CVE-2025-49308 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-49308

Vulnerability Analysis

The WP Travel Engine plugin fails to properly validate filename parameters passed to PHP include or require statements. The vulnerability is categorized as [CWE-98], Improper Control of Filename for Include/Require Statement. While the CVE title references PHP Remote File Inclusion, the practical impact is Local File Inclusion because typical PHP configurations disable allow_url_include.

An authenticated attacker with low-level privileges can manipulate the filename input to load arbitrary PHP files already present on the server. Loaded files may include WordPress configuration data, credentials, log files containing injected PHP, or uploaded media files containing PHP payloads. The flaw affects confidentiality, integrity, and availability of the underlying WordPress installation.

Root Cause

The plugin code accepts user-controlled input and passes it to a PHP file inclusion function without sufficient sanitization, path normalization, or allowlist enforcement. Path traversal sequences and absolute paths are not blocked, allowing the inclusion of files outside the intended directory.

Attack Vector

Exploitation requires network access to the WordPress site and authenticated access with at least low-level privileges. The attacker submits a crafted request to a vulnerable plugin endpoint, supplying a path that resolves to a target file on the local filesystem. The vulnerability mechanism is described in the Patchstack Vulnerability Report.

// Verified exploit code is not publicly available.
// Refer to the Patchstack advisory for technical details.

Detection Methods for CVE-2025-49308

Indicators of Compromise

HTTP requests to WP Travel Engine endpoints containing path traversal sequences such as ../ or encoded variants %2e%2e%2f
Requests with parameter values pointing to sensitive paths such as wp-config.php, /etc/passwd, or PHP session files
Unexpected PHP errors in server logs referencing include() or require() with attacker-supplied paths
Web shell artifacts or new PHP files appearing in the uploads directory shortly after suspicious plugin requests

Detection Strategies

Inspect web server access logs for requests to WP Travel Engine endpoints containing suspicious filename parameters
Deploy WordPress-aware web application firewall rules that block traversal patterns and absolute paths in plugin parameters
Monitor for PHP fatal errors and warnings referencing inclusion failures from the plugin's source files
Compare plugin files against known-good versions to detect tampering or injected payloads

Monitoring Recommendations

Enable verbose PHP error logging and forward logs to a centralized SIEM for correlation
Alert on creation or modification of PHP files within the WordPress uploads directory
Track authenticated session activity for low-privilege users invoking plugin endpoints with file path parameters
Review WordPress audit logs for unusual access patterns from subscriber or contributor accounts

How to Mitigate CVE-2025-49308

Immediate Actions Required

Update WP Travel Engine to a version later than 6.5.1 as soon as a fixed release is available from the vendor
Restrict registration and lower the privileges of untrusted accounts to reduce the attack surface
Audit the WordPress uploads directory and wp-content for unauthorized PHP files
Rotate WordPress administrator credentials and database passwords if compromise is suspected

Patch Information

Review the Patchstack Vulnerability Report for the latest patched version and remediation guidance from the plugin maintainer. Apply the update through the WordPress admin dashboard or via WP-CLI in a staging environment first.

Workarounds

Disable the WP Travel Engine plugin until a patched version is installed if business operations allow
Set allow_url_include to Off and allow_url_fopen to Off in php.ini to limit remote inclusion risk
Configure open_basedir in PHP to restrict file access to WordPress directories only
Deploy a WAF rule blocking traversal sequences and absolute paths in HTTP parameters destined for plugin endpoints

bash

# Example php.ini hardening
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"