WordPress Plugin Vulnerabilities

WP Travel Engine < 6.3.6 - Unauthenticated Local File Inclusion

Description

The WP Travel Engine plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 6.3.5. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Plugins

Plugin icon
wp-travel-engine
Fixed in 6.3.6

References

CVE
CVE-2025-30870
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/fbdc0074-f357-455e-8f17-0821494ea550

Classification

Type
RFI
OWASP top 10
A1: Injection
CWE
CWE-98
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
f2aaeb03-93ce-439d-bd82-08aff295673b

Timeline

Publicly Published
2025-03-27 (about 1 year ago)
Added
2025-04-03 (about 1 year ago)
Last Updated
2025-04-03 (about 1 year ago)

Other

Published
Title
Published
2026-02-25
Title
Innovio - Multipurpose Landing Page WordPress Theme < 1.9.1 - Unauthenticated Local File Inclusion
Published
2025-06-25
Title
Katerio - Magazine <= 1.5.1 - Unauthenticated Local File Inclusion
Published
2026-04-08
Title
WaveRide < 1.5 - Unauthenticated Local File Inclusion
Published
2025-09-04
Title
Femme <= 1.3.11 - Unauthenticated Local File Inclusion
Published
2025-05-07
Title
Open Close WooCommerce Store <= 4.9.6 - Authenticated (Contributor+) Local File Inclusion