How to fix EUVD-2025-17260?

Within 24 hours: Audit all systems running WP Travel Engine to identify affected versions and document exposure scope. Within 7 days: Implement Web Application Firewall (WAF) rules blocking suspicious file inclusion patterns targeting the vulnerable component, and restrict direct access to the plugin's vulnerable endpoints if possible. Within 30 days: Either upgrade to a patched version once available, replace WP Travel Engine with an alternative solution, or completely disable the plugin if non-critical to operations.

Is PHP affected by EUVD-2025-17260?

WP Travel Engine versions up to 6.5.1 contain a critical file inclusion vulnerability that could allow attackers to access sensitive files on affected servers.

EUVD-2025-17260

| CVE-2025-49308 HIGH

2025-06-06 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17260

CVE Published

Jun 06, 2025 - 13:15 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.5.1.

Analysis

PHP Local File Inclusion (LFI) vulnerability in WP Travel Engine affecting versions through 6.5.1. An authenticated attacker with low privileges can exploit improper filename control in PHP include/require statements to read arbitrary files from the server, potentially obtaining sensitive configuration data, credentials, or source code. While the CVSS score is moderate (7.5), the vulnerability requires authentication and higher attack complexity, but successful exploitation could lead to complete information disclosure and potential privilege escalation.

Technical Context

This vulnerability exploits improper input validation in PHP's include() or require() functions (CWE-98: Improper Control of Filename for Include/Require Statement in PHP). The WP Travel Engine WordPress plugin fails to properly sanitize or validate user-supplied input before passing it to file inclusion functions, allowing an attacker to traverse directory paths and include arbitrary files. The root cause is insufficient use of PHP security functions like basename(), realpath validation, or whitelisting of allowed files. Unlike Remote File Inclusion (RFI), this LFI variant is typically limited to local filesystem access unless the server is configured to allow remote stream wrappers (allow_url_include). The affected software is a WordPress plugin (identified through the WordPress ecosystem context), which runs in a typical LAMP/LEMP environment with PHP execution.

Affected Products

WP Travel Engine (through 6.5.1)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +38

POC: 0

EUVD-2025-17260 vulnerability details – vuln.today

Back

EUVD-2025-17260

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-17260

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code