CVE-2025-30891 identifies a Local File Inclusion (LFI) vulnerability in the magepeopleteam WpTravelly WordPress plugin, specifically versions up to and including 1.8.7. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements within the plugin's codebase. This lack of proper validation or sanitization allows an attacker to manipulate the filename input, causing the application to include unintended local files from the server's filesystem. Such an inclusion can lead to the execution of arbitrary PHP code if the attacker can control the contents of the included file, or it can expose sensitive files such as configuration files, password stores, or logs. The vulnerability is categorized under PHP Remote File Inclusion types but is specifically a Local File Inclusion issue, meaning the attacker cannot directly include remote files but can leverage local files to escalate privileges or gather information. The vulnerability affects the WpTravelly plugin, which is used for tour booking management on WordPress sites, a niche but potentially widely deployed plugin in tourism and travel-related websites. No public exploits have been reported yet, and no official patches or updates have been linked in the provided data. The vulnerability was published on March 27, 2025, and was reserved the day before. The absence of a CVSS score indicates that the vulnerability is newly disclosed and not yet fully assessed. The attack vector likely involves sending crafted HTTP requests to the vulnerable plugin endpoints that handle file inclusion, requiring no authentication or user interaction if the plugin is publicly accessible. This vulnerability can be leveraged to compromise the confidentiality and integrity of affected systems and potentially impact availability if malicious code is executed.

The impact of CVE-2025-30891 on organizations worldwide can be significant, especially for those running WordPress sites with the WpTravelly plugin installed. Successful exploitation can lead to unauthorized disclosure of sensitive information such as configuration files, database credentials, or user data, undermining confidentiality. Attackers may also execute arbitrary PHP code on the server, potentially leading to full system compromise, data manipulation, or service disruption, affecting integrity and availability. For tourism and travel businesses relying on WpTravelly, this could result in operational downtime, loss of customer trust, and regulatory compliance issues related to data breaches. The vulnerability's exploitation does not currently require authentication, increasing the risk of automated attacks and mass scanning. Although no known exploits exist in the wild yet, the public disclosure may prompt attackers to develop exploits rapidly. Organizations with inadequate monitoring or outdated plugins are particularly vulnerable. The impact extends beyond individual sites to hosting providers and managed WordPress service providers who may host multiple affected instances, amplifying the risk.

To mitigate CVE-2025-30891, organizations should immediately verify if the WpTravelly plugin is installed and identify the version in use. If the plugin version is 1.8.7 or earlier, upgrade to a patched version once available from the vendor or disable the plugin until a fix is released. In the absence of an official patch, apply temporary mitigations such as restricting PHP include paths using open_basedir directives to limit file inclusion to safe directories. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting to manipulate file inclusion parameters. Review and harden server and PHP configurations to disable potentially dangerous functions like allow_url_include and ensure proper file permissions to prevent unauthorized file access. Conduct thorough logging and monitoring for unusual file access patterns or errors related to include/require statements. Additionally, consider isolating WordPress instances to minimize lateral movement if compromise occurs. Educate development and security teams about secure coding practices to prevent similar vulnerabilities in custom plugins or themes.