CVE-2025-7634 is a critical vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Programs) found in the WP Travel Engine – Tour Booking Plugin for WordPress. This plugin, widely used for managing tour bookings and travel operations, suffers from a Local File Inclusion (LFI) flaw affecting all versions up to 6.6.7. The vulnerability arises from insufficient validation of the 'mode' parameter, which is used in PHP include or require statements. An attacker can manipulate this parameter to include arbitrary PHP files from the server or potentially remote locations if remote file inclusion is enabled. Exploiting this flaw allows unauthenticated attackers to execute arbitrary PHP code, leading to full system compromise. The impact includes bypassing access controls, data theft, and remote code execution. The vulnerability has a CVSS v3.1 score of 9.8 (critical), reflecting its high impact and ease of exploitation without any authentication or user interaction. Although no public exploits have been reported yet, the vulnerability's nature and criticality make it a prime target for attackers. The plugin's widespread use in the tourism industry, especially within WordPress environments, increases the attack surface. The lack of available patches at the time of disclosure necessitates immediate defensive measures to mitigate risk.

For European organizations, especially those in the travel and tourism sector using WordPress with the WP Travel Engine plugin, this vulnerability poses a severe risk. Exploitation can lead to unauthorized access to sensitive customer data, including personal and payment information, potentially violating GDPR regulations and resulting in significant legal and financial penalties. Remote code execution can allow attackers to deploy malware, establish persistent backdoors, or pivot within the network, threatening broader organizational IT infrastructure. The disruption of booking services can cause operational downtime, damaging reputation and revenue. Given the critical nature of the vulnerability and the plugin's role in business operations, the impact on confidentiality, integrity, and availability is substantial. Organizations may also face compliance issues and loss of customer trust if exploited.

Immediate mitigation should focus on restricting access to the vulnerable plugin functionality by disabling or removing the WP Travel Engine plugin until a security patch is released. Organizations should monitor for updates from the plugin vendor and apply patches promptly once available. Implement strict file upload controls to prevent uploading of executable PHP files, including validating file types and using server-side restrictions. Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block Local File Inclusion attempts, particularly targeting suspicious 'mode' parameter usage. Conduct thorough code reviews and security audits of customizations related to the plugin. Additionally, implement network segmentation to limit the impact of potential compromises and maintain regular backups to enable recovery. Monitoring logs for unusual file inclusion or execution patterns can help detect exploitation attempts early.