Local File Inclusion Vulnerability in Traveler Theme for WordPress
CVE-2024-12811

8.8HIGH

Key Information:

Vendor: WordPress
Status: Travel Booking WordPress Theme
Vendor: CVE Published:; 28 February 2025

Summary

The Traveler theme for WordPress is susceptible to a Local File Inclusion vulnerability through the 'hotel_alone_slider' shortcode 'style' attribute, allowing authenticated users with contributor-level permissions and higher to include and execute arbitrary files on the server. This flaw enables attackers to bypass access controls, obtain sensitive data, or execute malicious PHP code by leveraging included files. All versions of the Traveler theme up to 3.1.8 are affected, making it crucial for site administrators to apply the latest updates and implement security measures to protect against potential exploitation.

Affected Version(s)

Travel Booking WordPress Theme * <= 3.1.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://travelerwp.com/traveler-changelog/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 28, 2025