Local File Inclusion Vulnerability in WP Travel Engine by WordPress
CVE-2025-30871

7.5HIGH

Key Information:

Vendor: WordPress
Status: WP Travel Engine
Vendor: CVE Published:; 27 March 2025

What is CVE-2025-30871?

The WP Travel Engine, a popular plugin for WordPress, is susceptible to a local file inclusion vulnerability due to improper control of filename parameters in its PHP scripts. This flaw allows attackers to potentially leverage malicious file inclusion, which could lead to unauthorized access to sensitive files on the server. Affected versions include all releases leading up to and including version 6.3.5, highlighting the importance of keeping your plugin updated to mitigate security risks.

Affected Version(s)

WP Travel Engine <= 6.3.5

References

https://patchstack.com/database/wordpress/plugin/wp-trave...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Mar 26, 2025

Credit

LVT-tholv2k (Patchstack Alliance)