Local File Inclusion Vulnerability in WP Travel Engine Plugin for WordPress
CVE-2025-7634

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: WP Travel Engine – Tour Booking Plugin – Tour Operator Software
Vendor: CVE Published:; 9 October 2025

What is CVE-2025-7634?

The WP Travel Engine plugin for WordPress is susceptible to a Local File Inclusion vulnerability due to improper handling of the 'mode' parameter in all versions up to and including 6.6.7. This flaw enables unauthorized attackers to include and execute arbitrary .php files on the server. If exploited, this vulnerability could lead to the execution of any code within those .php files, facilitating access control bypass, sensitive data exposure, or even full server compromise.

Affected Version(s)

WP Travel Engine – Tour Booking Plugin – Tour Operator Software * <= 6.6.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp-travel-engi...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 9, 2025
Vulnerability Reserved
Jul 14, 2025

Credit

wesley

JSON