CVE-2025-7634 — AI Deep Analysis Summary

🚨 **Essence**: Local File Inclusion (LFI) via the `mode` parameter. 📉 **Consequences**: Attackers can read sensitive server files or potentially execute arbitrary code, compromising the entire WordPress site integrity.

🛡️ **Root Cause**: CWE-98 (Improper Control of Filename for Include/Require). The plugin fails to sanitize the `mode` input before including files, allowing path traversal attacks.

📦 **Affected**: WordPress Plugin **WP Travel Engine – Tour Booking Plugin – Tour Operator Software**. 📅 **Version**: **6.6.7 and earlier**. 🏢 **Vendor**: wptravelengine.

💀 **Impact**: High Severity (CVSS 9.8). Hackers can achieve **Full System Compromise**. They can read sensitive data (C:H), modify site content (I:H), and disrupt service (A:H) without authentication.

⚡ **Threshold**: **LOW**. CVSS Vector `AV:N/AC:L/PR:N/UI:N` indicates it is Network-accessible, Low Complexity, and requires **No Privileges** or User Interaction. Easy to exploit remotely.

🔍 **Exploit Status**: No public PoC/Exploit listed in the data (`pocs: []`). However, the vulnerability is well-documented in source code diffs, making it highly likely to be exploited soon.

🔎 **Self-Check**: Scan for installed version **< 6.6.7**. Check if the plugin is active. Look for AJAX endpoints related to `LoadTripsHtml` or `FilterTripsHtml` that accept unsanitized `mode` parameters.

🛠️ **Fix**: Update the plugin to the latest version immediately. The vendor has acknowledged the issue via WordPress Trac and Wordfence advisories. Patching resolves the LFI flaw.

🚧 **Workaround**: If patching is delayed, **deactivate and delete** the WP Travel Engine plugin. Alternatively, restrict access to WordPress AJAX endpoints via WAF rules blocking suspicious `mode` parameter values.

🔥 **Priority**: **CRITICAL**. With a CVSS score of 9.8 and no auth required, this is an immediate threat. Prioritize patching to prevent unauthorized access and data breaches.