CVE-2025-7634 is a critical security vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement) affecting the WP Travel Engine – Tour Booking Plugin for WordPress. This vulnerability exists in all versions up to and including 6.6.7 and is triggered via the 'mode' parameter. The flaw allows unauthenticated remote attackers to perform Local File Inclusion (LFI), enabling them to include arbitrary PHP files on the server. If attackers can upload PHP files or otherwise place malicious PHP scripts on the server, they can execute arbitrary code with the privileges of the web server process. This can lead to full system compromise, data theft, and bypassing of access controls. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 score of 9.8 reflects its critical nature, with high impact on confidentiality, integrity, and availability. No official patches or fixes have been released at the time of reporting, increasing the urgency for mitigation. The plugin is widely used in WordPress sites focused on tour booking and travel operations, which may be targeted due to their business value and sensitive customer data. Although no known exploits have been reported in the wild yet, the ease of exploitation and severity make this a high-priority threat for affected organizations.

The impact of CVE-2025-7634 is severe for organizations using the WP Travel Engine plugin. Successful exploitation can lead to remote code execution, allowing attackers to fully compromise the web server and potentially pivot to internal networks. Confidential data such as customer information, booking details, and payment data can be exposed or stolen. Integrity of the website and backend systems can be compromised, enabling attackers to alter content, inject malicious code, or create backdoors. Availability may also be affected if attackers disrupt services or deploy ransomware. Since the vulnerability requires no authentication, any internet-facing WordPress site with this plugin is at risk, increasing the attack surface significantly. The tourism and travel sector, which relies heavily on online bookings, may suffer reputational damage and financial losses if exploited. Additionally, the lack of patches means organizations must rely on immediate mitigations to prevent exploitation. The potential for widespread impact is high given the popularity of WordPress and the plugin’s niche in travel-related businesses.

1. Immediately disable or deactivate the WP Travel Engine plugin until a security patch is released. 2. Restrict access to the vulnerable plugin’s functionality by implementing web application firewall (WAF) rules that block requests containing suspicious 'mode' parameter values or attempts to include files. 3. Employ strict input validation and sanitization on all parameters, especially those controlling file inclusions, to prevent malicious input. 4. Use PHP configuration directives such as 'open_basedir' to restrict file inclusion to safe directories and disable 'allow_url_include' to prevent remote file inclusion. 5. Monitor web server logs for unusual requests targeting the 'mode' parameter or attempts to access PHP files unexpectedly. 6. Limit file upload capabilities and scan uploaded files for malicious content to prevent attackers from placing executable PHP scripts on the server. 7. Keep WordPress core and all plugins updated, and subscribe to vendor advisories for timely patch releases. 8. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect LFI attempts. 9. Conduct regular security audits and penetration testing focused on file inclusion vulnerabilities. 10. Prepare incident response plans to quickly contain and remediate any exploitation attempts.