CVE-2025-7634 Overview
CVE-2025-7634 is a Local File Inclusion (LFI) vulnerability in the WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress. The flaw affects all plugin versions up to and including 6.6.7. The vulnerability resides in the handling of the mode parameter within AJAX controllers used to render trip HTML content. Unauthenticated attackers can include and execute arbitrary .php files on the server, enabling arbitrary PHP code execution when attacker-controlled files are accessible. The issue is tracked under CWE-98, Improper Control of Filename for Include/Require Statement in PHP Program.
Critical Impact
Unauthenticated remote attackers can include and execute arbitrary PHP files, leading to access control bypass, sensitive data disclosure, and full remote code execution on affected WordPress sites.
Affected Products
- WP Travel Engine – Tour Booking Plugin – Tour Operator Software for WordPress (all versions through 6.6.7)
- Vulnerable component: includes/classes/Core/Controllers/Ajax/FilterTripsHtml.php
- Vulnerable component: includes/classes/Core/Controllers/Ajax/LoadTripsHtml.php
Discovery Timeline
- 2025-10-09 - CVE-2025-7634 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7634
Vulnerability Analysis
The WP Travel Engine plugin exposes AJAX endpoints that render trip listing HTML based on user-supplied parameters. The mode parameter passed to these endpoints is concatenated into a file path and passed to a PHP include or require call without proper validation or allow-listing. According to the Wordfence Vulnerability Report, the issue allows unauthenticated attackers to traverse directories and include arbitrary local .php files. When combined with any file upload primitive that places .php content on disk (such as uploaded media, log files, or session files containing attacker-controlled data), the LFI escalates into arbitrary code execution under the web server user context.
Root Cause
The root cause is improper validation of the mode request parameter inside the AJAX controllers FilterTripsHtml.php and LoadTripsHtml.php. The parameter value flows directly into a filesystem path used by a PHP include construct. There is no sanitization to strip traversal sequences such as ../, no allow-list of expected template names, and no authentication or capability check on the AJAX action. This combination of missing input validation and missing authorization makes the endpoint reachable by any unauthenticated visitor.
Attack Vector
Exploitation occurs over the network through standard HTTP requests to the WordPress admin-ajax.php endpoint with the vulnerable plugin action and a crafted mode parameter. The attacker supplies a path that resolves to a .php file already present on the server, such as a previously uploaded attachment, a writable temp file, or a session file. PHP then executes the contents of that file in the context of the WordPress application. No user interaction or authentication is required, and the attack complexity is low. Refer to the FilterTripsHtml.php source and LoadTripsHtml.php source for the affected code paths.
No public proof-of-concept exploit code has been published. See the security advisory for technical details.
Detection Methods for CVE-2025-7634
Indicators of Compromise
- HTTP POST or GET requests to admin-ajax.php containing a mode parameter value with path traversal sequences such as ../ or absolute filesystem paths.
- Web server access logs showing AJAX actions tied to WP Travel Engine handlers paired with anomalous mode values referencing uploads, log, or temp directories.
- Unexpected PHP files written to wp-content/uploads/ or other writable directories shortly before suspicious AJAX requests.
- Outbound network connections originating from the PHP worker process to unknown infrastructure following plugin AJAX requests.
Detection Strategies
- Inspect WordPress and web server logs for requests targeting WP Travel Engine AJAX actions where the mode parameter contains non-alphanumeric characters or filesystem separators.
- Deploy a Web Application Firewall (WAF) rule that blocks traversal patterns in query parameters destined for admin-ajax.php.
- Monitor for PHP include and require runtime errors referencing paths outside the plugin directory, which indicate failed or successful LFI attempts.
Monitoring Recommendations
- Audit the wp-content/plugins/wp-travel-engine/ directory for the installed plugin version and confirm it is patched.
- Enable file integrity monitoring on wp-content/uploads/ and other writable paths to catch attacker-staged .php payloads.
- Correlate authentication logs, file write events, and outbound process telemetry to identify post-exploitation activity such as webshell deployment.
How to Mitigate CVE-2025-7634
Immediate Actions Required
- Update the WP Travel Engine plugin to a version later than 6.6.7 as soon as a fixed release is available from the vendor.
- If no patched version is installed, deactivate and remove the plugin until an update can be applied.
- Review server filesystems for unauthorized .php files in writable directories and remove any unknown artifacts.
- Rotate WordPress administrative credentials, API keys, and database credentials if exploitation is suspected.
Patch Information
Affected installations should upgrade beyond version 6.6.7. Consult the Wordfence Vulnerability Report for the current fixed version and vendor advisory details.
Workarounds
- Restrict access to admin-ajax.php at the WAF or reverse proxy layer when the mode parameter contains path traversal characters or absolute paths.
- Disable PHP execution within wp-content/uploads/ using web server configuration to limit the impact of any included file.
- Apply a virtual patch through a managed WordPress security service that blocks the vulnerable WP Travel Engine AJAX actions until the plugin is updated.
# Example nginx configuration to disable PHP execution in uploads
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
# Example WAF rule pattern to block traversal in the mode parameter
# ModSecurity rule (illustrative)
SecRule ARGS:mode "@rx (\.\./|\.\.\\|/etc/|/var/log/)" \
"id:1007634,phase:2,deny,status:403,msg:'CVE-2025-7634 LFI attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
