CVE-2025-49308 is a high-severity vulnerability classified under CWE-98, which pertains to improper control of filenames used in include or require statements in PHP programs. Specifically, this vulnerability affects the WP Travel Engine plugin, a WordPress plugin used for travel booking and management, up to version 6.5.1. The flaw allows for PHP Local File Inclusion (LFI), which means an attacker can manipulate the filename parameter in the include or require statement to load arbitrary files from the local filesystem. This can lead to unauthorized disclosure of sensitive files, execution of arbitrary PHP code, and potentially full system compromise if combined with other vulnerabilities or misconfigurations. The CVSS 3.1 base score is 7.5, indicating a high severity, with the vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network but requires low privileges and high attack complexity, with no user interaction needed. The impact on confidentiality, integrity, and availability is high, as an attacker could read sensitive files, modify code execution flow, and disrupt service availability. No known exploits are currently reported in the wild, and no patches or fixes have been linked yet. The vulnerability is particularly critical because WordPress plugins are widely used and often exposed to the internet, making exploitation feasible if the attacker can gain low-level access or exploit other weaknesses to leverage this LFI. The lack of a patch at the time of publication increases the urgency for mitigation.

For European organizations using WP Travel Engine, especially those in the travel, tourism, and hospitality sectors, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer data, including personal identification and payment information, violating GDPR and other data protection regulations. The integrity of booking and travel management systems could be compromised, leading to fraudulent bookings or service disruptions. Availability impacts could cause downtime of critical travel services, damaging reputation and causing financial losses. Given the interconnected nature of travel platforms, a successful attack could cascade to other integrated systems. Organizations with limited patch management capabilities or those running outdated plugin versions are particularly vulnerable. Additionally, the high confidentiality impact raises concerns about data breaches, which could trigger regulatory fines and legal consequences under European data protection laws.

1. Immediate audit of all WP Travel Engine plugin instances to identify affected versions (up to 6.5.1). 2. Restrict file inclusion paths by implementing strict input validation and sanitization on any parameters controlling file paths in the plugin code. 3. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious include/require parameter manipulations. 4. Limit PHP process permissions to prevent reading or executing unauthorized files, applying the principle of least privilege on the web server. 5. Monitor logs for unusual file access patterns or errors related to include/require statements. 6. Until an official patch is released, consider disabling or replacing the WP Travel Engine plugin if feasible. 7. Harden the WordPress environment by disabling PHP functions like allow_url_include and restricting file system access. 8. Educate development and security teams about the risks of improper file inclusion and enforce secure coding practices for plugin development and customization. 9. Prepare incident response plans specific to LFI attacks to quickly contain and remediate any exploitation attempts.