CVE-2025-49308
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the WordPress WP Travel Engine plugin (versions up to 6.5.1). It allows an attacker with contributor-level privileges to include and display local files from the target website. This can expose sensitive information such as database credentials and potentially lead to a complete database takeover depending on the website's configuration. [1]
How can this vulnerability impact me? :
The vulnerability can allow an attacker to access and display sensitive local files on your website, which may include database credentials. This exposure can lead to a complete takeover of your database and compromise the security and integrity of your website and its data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WP Travel Engine plugin version is 6.5.1 or earlier, as these versions are affected. Since the vulnerability allows Local File Inclusion via contributor-level privileges, monitoring for unusual file inclusion attempts or unexpected file access in web server logs may help. Specific commands are not provided in the resources, but generally, you can check the plugin version via WordPress admin or by inspecting the plugin files. Additionally, monitoring web server logs for suspicious requests targeting the plugin's include/require functionality could indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the WP Travel Engine plugin to version 6.5.2 or later, where the vulnerability is fixed. If updating immediately is not possible, applying virtual patching (vPatching) provided by Patchstack can auto-mitigate this and other vulnerabilities before official patches are applied. It is also recommended to monitor for any signs of compromise and consider professional incident response services if a website is suspected to be compromised. [1]