CVE-2025-7634 is a critical vulnerability classified as CWE-98 (Improper Control of Filename for Include/Require Statement) found in the WP Travel Engine – Tour Booking Plugin for WordPress, affecting all versions up to and including 6.6.7. The flaw resides in the handling of the 'mode' parameter, which can be manipulated by unauthenticated attackers to perform Local File Inclusion (LFI). This enables attackers to include arbitrary PHP files on the server, potentially executing malicious PHP code. The vulnerability does not require authentication or user interaction, making it highly exploitable remotely over the network. Exploitation can lead to full remote code execution, allowing attackers to bypass access controls, access sensitive data, or take over the affected web server. The CVSS v3.1 score of 9.8 reflects the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized quickly. The plugin is widely used in the travel and tour booking sector, which often handles sensitive customer data and payment information, increasing the stakes of a successful attack. The vulnerability highlights the importance of secure input validation and proper control of file inclusion mechanisms in PHP applications.

For European organizations, especially those in the travel and tourism sector using the WP Travel Engine plugin, this vulnerability poses a severe risk. Successful exploitation could lead to complete compromise of the web server hosting the plugin, resulting in data breaches involving personal customer information, financial data, and internal business information. This could cause significant reputational damage, regulatory penalties under GDPR for data protection failures, and operational disruption due to system downtime or defacement. Attackers could also use compromised servers as pivot points for further attacks within the corporate network. Given the criticality and ease of exploitation, organizations face a high risk of automated attacks and widespread exploitation attempts once proof-of-concept exploits become available. The impact extends beyond individual businesses to the broader tourism infrastructure, potentially affecting service availability and trust in online booking platforms.

Immediate mitigation steps include monitoring for updates from the plugin vendor and applying patches as soon as they are released. Until patches are available, organizations should implement strict input validation and sanitization on the 'mode' parameter to prevent malicious file inclusion. Restrict file upload functionality to prevent uploading of executable PHP files, and enforce least privilege on web server file permissions to limit the impact of any successful inclusion. Deploy Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities, such as suspicious URL parameters or attempts to include local files. Conduct regular security audits and vulnerability scans focused on WordPress plugins and their configurations. Additionally, organizations should maintain robust backup and incident response plans to quickly recover from potential compromises. Educating developers and administrators about secure coding practices related to file inclusion is also recommended to prevent similar issues in custom code.