CVE-2025-7634
Published: 09 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-7634 is a Local File Inclusion (LFI) vulnerability in the WP Travel Engine – Tour Booking Plugin – Tour Operator Software for WordPress, affecting all versions up to and including 6.6.7. The flaw arises via the "mode" parameter, which enables unauthenticated attackers to include and execute arbitrary .php files on the server. This can lead to the execution of any PHP code within those files, as classified under CWE-98, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. Exploitation allows inclusion of server files for PHP code execution, enabling attackers to bypass access controls, obtain sensitive data, or achieve full code execution, particularly in scenarios where .php file uploads are possible elsewhere in the application.
Advisories reference the vulnerable code at specific locations in version 6.6.0, including line 72 in includes/classes/Core/Controllers/Ajax/FilterTripsHtml.php and line 27 in includes/classes/Core/Controllers/Ajax/LoadTripsHtml.php. Additional details are provided in the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/ce119965-01a0-4cff-a0b2-e99bceb1406c?source=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated LFI leading to PHP code execution in a public-facing WordPress plugin, directly enabling exploitation of a public-facing application.