CVE-2025-64373 is a vulnerability classified as Remote File Inclusion (RFI) in the shinetheme Traveler PHP application, affecting all versions prior to 3.2.6. The root cause is improper control over the filename parameter used in PHP include or require statements, which allows an attacker to specify a remote file to be included and executed by the server. This type of vulnerability is critical because it can lead to arbitrary code execution on the web server, enabling attackers to run malicious scripts, steal sensitive data, modify or delete files, or pivot deeper into the network. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers. Although no known exploits are currently in the wild, the nature of RFI vulnerabilities historically makes them attractive targets for attackers. The affected product, Traveler by shinetheme, is a PHP-based application commonly used in travel and hospitality industries for booking and management purposes. The vulnerability was reserved on 31 October 2025 and published on 18 December 2025, but no CVSS score has been assigned yet. The absence of patches at the time of this report suggests that organizations should be vigilant and apply updates as soon as they become available. The vulnerability’s exploitation could lead to full system compromise, data breaches, and service disruption.

For European organizations, the impact of CVE-2025-64373 can be severe, especially for those in the travel, tourism, and hospitality sectors that rely on the Traveler application. Successful exploitation could result in unauthorized access to sensitive customer data, including personal and payment information, leading to privacy violations and regulatory non-compliance under GDPR. The integrity of booking and operational data could be compromised, affecting business continuity and trust. Availability of services could be disrupted through malicious payloads or ransomware deployment. The reputational damage and financial losses from data breaches and downtime could be significant. Additionally, attackers could use compromised systems as footholds for lateral movement within corporate networks, increasing the overall risk landscape. Given the cross-border nature of travel services, the impact could extend beyond a single country, affecting multiple European nations simultaneously.

1. Immediately upgrade the Traveler application to version 3.2.6 or later once patches are released by shinetheme. 2. Until patches are available, implement strict input validation and sanitization on all parameters that influence file inclusion to prevent injection of remote URLs or arbitrary paths. 3. Disable the allow_url_include directive in PHP configurations to prevent inclusion of remote files. 4. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file inclusion attempts. 5. Restrict file permissions and use secure coding practices to minimize the impact of potential exploitation. 6. Monitor logs for unusual include/require activity or unexpected outbound connections from the web server. 7. Conduct regular security assessments and penetration testing focused on file inclusion vulnerabilities. 8. Educate development and operations teams about secure handling of dynamic file includes and the risks of RFI vulnerabilities.