CVE-2025-69133 Overview
CVE-2025-69133 is a Local File Inclusion (LFI) vulnerability in the Tourmaster WordPress plugin versions 5.4.5 and earlier. Authenticated attackers with Subscriber-level privileges can exploit the flaw to include arbitrary local files through the plugin. The issue is categorized under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program). Successful exploitation can lead to disclosure of sensitive server-side files and, in some environments, execution of attacker-controlled content. The vulnerability requires network access and low-privileged authentication but no user interaction.
Critical Impact
Authenticated Subscriber users can include arbitrary local files, exposing credentials, configuration data, and potentially enabling code execution paths on affected WordPress sites.
Affected Products
- Tourmaster WordPress plugin versions <= 5.4.5
- WordPress sites permitting Subscriber-level registration
- Hosting environments running the vulnerable plugin build
Discovery Timeline
- 2026-07-02 - CVE-2025-69133 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2025-69133
Vulnerability Analysis
The Tourmaster plugin fails to properly control the filename used in a PHP include or require statement. An authenticated user with the Subscriber role can supply a crafted parameter that is passed into a file inclusion routine without adequate sanitization. Because Subscriber is the lowest privileged authenticated role in WordPress and is often available through open registration, the barrier for exploitation is limited to obtaining any valid account. Once included, the referenced file is parsed by the PHP interpreter, exposing its contents or executing its instructions in the context of the web server process.
Root Cause
The root cause is improper validation of user-controlled input used in a dynamic file inclusion path, tracked as [CWE-98]. The plugin trusts request parameters to build the target path for inclusion. Attackers can traverse directories or reference sensitive server files such as configuration files, logs, or session data. The absence of an allowlist for permitted include targets converts a routine request handler into an arbitrary file inclusion sink.
Attack Vector
Exploitation proceeds over the network against a Tourmaster-enabled WordPress endpoint. The attacker authenticates as a Subscriber, then issues a crafted request containing a manipulated file path parameter. The plugin resolves and includes the specified file, returning its contents or triggering PHP execution when the referenced file contains parseable code. No user interaction is required after the request is sent. Refer to the Patchstack WordPress Vulnerability Report for advisory details.
No verified proof-of-concept code is publicly linked to this advisory at the time of publication. The vulnerability mechanism is described in prose only; see the Patchstack advisory for additional technical context.
Detection Methods for CVE-2025-69133
Indicators of Compromise
- Web server access logs showing Subscriber-authenticated requests to Tourmaster endpoints with parameters containing ../, absolute paths, or references to files such as wp-config.php.
- HTTP responses returning unexpected content types or content resembling PHP source, configuration data, or system files.
- New Subscriber accounts registered shortly before anomalous plugin requests.
Detection Strategies
- Inspect WordPress request logs for query parameters passed to Tourmaster handlers that contain path separators or encoded traversal sequences (%2e%2e%2f).
- Correlate Subscriber-role sessions with requests targeting plugin PHP files not typically accessed by low-privileged users.
- Deploy web application firewall (WAF) rules matching known LFI payload patterns against plugin request paths.
Monitoring Recommendations
- Alert on repeated 200-status responses to Tourmaster endpoints containing traversal characters in query strings.
- Monitor wp_users table changes and new user registrations for accounts that immediately interact with plugin endpoints.
- Track file read operations on sensitive files such as wp-config.php, .htaccess, and /etc/passwd from the PHP process.
How to Mitigate CVE-2025-69133
Immediate Actions Required
- Update the Tourmaster plugin to a version later than 5.4.5 once the vendor releases a fixed build.
- Audit existing Subscriber accounts and remove any that were not legitimately provisioned.
- Disable open user registration on WordPress sites that do not require it.
Patch Information
A fixed version is tracked in the Patchstack WordPress Vulnerability Report. Administrators should apply the vendor-supplied update as soon as it is available and verify the installed plugin version through the WordPress admin dashboard.
Workarounds
- Temporarily deactivate the Tourmaster plugin until a patched version is installed.
- Restrict access to plugin PHP endpoints using WAF rules or web server-level access controls.
- Set open_basedir in PHP to limit file system paths accessible to the web application.
# Configuration example: restrict PHP file access via open_basedir
# Add to php.ini or per-site configuration
open_basedir = "/var/www/html:/tmp"
disable_functions = "show_source,system,shell_exec,passthru,exec,phpinfo,popen,proc_open"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

