CVE-2025-7634 Overview
A critical Local File Inclusion (LFI) vulnerability has been identified in the WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress. This vulnerability exists in all versions up to and including 6.6.7 and allows unauthenticated attackers to include and execute arbitrary PHP files on the server through the mode parameter.
The vulnerability enables attackers to bypass access controls, obtain sensitive data, and achieve remote code execution when combined with the ability to upload .php files. This represents a severe security risk for any WordPress site running the affected plugin versions.
Critical Impact
Unauthenticated attackers can achieve remote code execution by including arbitrary PHP files on the server, potentially leading to complete site compromise.
Affected Products
- WP Travel Engine – Tour Booking Plugin for WordPress versions up to and including 6.6.7
Discovery Timeline
- 2025-10-09 - CVE-2025-7634 published to NVD
- 2025-10-09 - Last updated in NVD database
Technical Details for CVE-2025-7634
Vulnerability Analysis
This Local File Inclusion vulnerability (CWE-98) exists due to improper input validation in the WP Travel Engine plugin's Ajax handlers. The vulnerability is exposed through two key controller files: FilterTripsHtml.php and LoadTripsHtml.php, which handle trip filtering and loading functionality respectively.
The mode parameter is not properly sanitized before being used to include PHP files, allowing attackers to manipulate the file path and include arbitrary PHP files present on the server. This is particularly dangerous because WordPress plugins often have predictable directory structures, and attackers may leverage existing PHP files or uploaded malicious files to execute arbitrary code.
The vulnerability requires no authentication to exploit, meaning any remote attacker with network access to the WordPress site can attempt exploitation. When successfully exploited, attackers can read sensitive configuration files, execute malicious PHP code, and potentially gain complete control over the WordPress installation and underlying server.
Root Cause
The root cause of this vulnerability is insufficient input validation and path sanitization of the mode parameter in the plugin's Ajax controller files. The parameter value is used directly to construct a file path for PHP file inclusion without proper validation, allowing directory traversal sequences or references to files outside the intended scope.
Attack Vector
The attack is executed remotely over the network without requiring any authentication or user interaction. An attacker can craft a malicious HTTP request to the WordPress Ajax handler, manipulating the mode parameter to include arbitrary PHP files. The attack flow typically involves:
- Identifying a WordPress site running a vulnerable version of WP Travel Engine
- Sending a crafted request to the Ajax endpoint with a manipulated mode parameter
- The server includes and executes the specified PHP file
- If a malicious PHP file can be uploaded or an existing PHP file can be leveraged, the attacker achieves code execution
The vulnerability is accessible through the affected Ajax handlers at FilterTripsHtml.php (line 72) and LoadTripsHtml.php (line 27). Technical details of the vulnerable code can be found in the WordPress Plugin Code Review and additional context in the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-7634
Indicators of Compromise
- Unusual HTTP POST requests to WordPress Ajax endpoints containing suspicious mode parameter values with path traversal sequences (e.g., ../, ..%2f)
- Web server access logs showing requests to /wp-admin/admin-ajax.php with action=wp_travel_engine related actions and abnormal parameter content
- Unexpected PHP file access or creation in plugin directories or temporary folders
- Evidence of webshell deployment or unauthorized PHP file uploads
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Monitor WordPress Ajax endpoints for suspicious parameter values containing directory traversal sequences
- Deploy file integrity monitoring on the WordPress installation to detect unauthorized file modifications or additions
- Use endpoint detection solutions to identify suspicious PHP process spawning or network connections originating from the web server
Monitoring Recommendations
- Enable detailed logging for WordPress Ajax requests and regularly review for anomalies
- Configure real-time alerts for path traversal patterns in web server logs
- Monitor for unusual file system activity in the WordPress wp-content/plugins/ directory
- Implement SentinelOne's WordPress protection capabilities to detect LFI exploitation attempts and unauthorized code execution
How to Mitigate CVE-2025-7634
Immediate Actions Required
- Update the WP Travel Engine plugin to a version newer than 6.6.7 immediately if a patched version is available
- If an update is not yet available, temporarily disable the WP Travel Engine plugin until a patch is released
- Review web server logs for evidence of exploitation attempts
- Scan the WordPress installation for unauthorized files, webshells, or suspicious modifications
- Implement WAF rules to block requests containing path traversal patterns targeting the affected Ajax endpoints
Patch Information
Site administrators should check for available updates through the WordPress plugin repository or the official WP Travel Engine channels. The vulnerability affects all versions up to and including 6.6.7, so any version newer than 6.6.7 should contain the fix. Monitor the Wordfence Vulnerability Report for updated patch information.
Workarounds
- Disable the WP Travel Engine plugin temporarily if business operations permit
- Implement WAF rules to filter and block requests containing path traversal patterns in the mode parameter
- Restrict access to WordPress Ajax endpoints at the web server level if feasible
- Use file upload restrictions to prevent uploading of PHP files through any means
# Example: Block path traversal attempts in Apache .htaccess
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.%2f) [NC,OR]
RewriteCond %{QUERY_STRING} (mode=.*\.\.) [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
