CVE-2025-30871 – This vulnerability allows attackers to include ... (How to Fix)

Q: What is the severity of CVE-2025-30871?

CVE-2025-30871 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to include local files on the server through improper input validation in WP Travel Engine WordPress plugin. Attackers can potentially read sensitive files or execute code by manipulating file inclusion parameters. All WordPress sites using WP Travel Engine versions up to 6.3.5 are affected.

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper input validation in WP Travel Engine WordPress plugin. Attackers can potentially read sensitive files or execute code by manipulating file inclusion parameters. All WordPress sites using WP Travel Engine versions up to 6.3.5 are affected.

💻 Affected Systems

Products:

WP Travel Engine WordPress Plugin

Versions: All versions up to and including 6.3.5

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WP Travel Engine plugin enabled.

📦 What is this software?

Wp Travel Engine by Wptravelengine

View all CVEs affecting Wp Travel Engine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Local file inclusion allowing reading of sensitive configuration files (wp-config.php) and potential information disclosure.

🟢

If Mitigated

Limited impact with proper file permissions and web application firewall rules blocking suspicious file inclusion attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of PHP file inclusion vulnerabilities and WordPress plugin structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.3.6 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-6-3-5-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Travel Engine and click 'Update Now'. 4. Verify version is 6.3.6 or higher.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block requests containing suspicious file inclusion patterns in parameters

Disable Plugin

WordPress

Temporarily disable WP Travel Engine plugin until patched

wp plugin deactivate wp-travel-engine

🧯 If You Can't Patch

Implement strict file permissions (644 for files, 755 for directories)
Deploy web application firewall with LFI protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Travel Engine version

Check Version:

wp plugin get wp-travel-engine --field=version

Verify Fix Applied:

Confirm WP Travel Engine version is 6.3.6 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual file paths in GET/POST parameters
Multiple 404 errors for non-existent plugin files
Access to sensitive files like wp-config.php

Network Indicators:

HTTP requests with file path traversal patterns in parameters
Requests to plugin endpoints with suspicious include parameters

SIEM Query:

source="web_logs" AND (uri="*wp-travel-engine*" AND (param="*../*" OR param="*/etc/*" OR param="*wp-config*"))

📊 Metadata

CVE ID: CVE-2025-30871

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.42% exploit probability (61.6th percentile)

Published: March 27, 2025

Last Updated: June 9, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-6-3-5-local-file-inclusion-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30871, you might also want to check these: