Local File Inclusion Vulnerability in WP Travel Engine Plugin for WordPress
CVE-2024-12272

8.8HIGH

Key Information:

Vendor: Wordpress
Status: WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress And Elementor
Vendor: CVE Published:; 25 December 2024

Summary

The WP Travel Engine – Elementor Widgets plugin for WordPress contains a Local File Inclusion vulnerability affecting all versions prior to 1.3.8. This vulnerability allows authenticated attackers, with Contributor-level access or higher, to include and execute arbitrary files on the server. Malicious users could exploit this flaw to execute PHP code within those files, potentially bypassing security controls and gaining access to sensitive data. The vulnerability poses a serious risk, especially since it permits the inclusion of files from outside the expected file types, including images. As such, website owners utilizing this plugin should evaluate their current version and implement necessary updates to safeguard their sites against potential exploits.

Affected Version(s)

WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor * <= 1.3.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 25, 2024
Vulnerability Reserved
Dec 5, 2024

Credit

Craig Smith