A high-severity vulnerability has been identified in multiple WP Travel products, specifically affecting the WP Travel Gutenberg Blocks plugin. This flaw allows an attacker to access and read sensitive files on the web server, which could expose critical information such as database credentials and system configuration files. Successful exploitation could lead to a full compromise of the affected website and its underlying server.

The vulnerability is a Local File Inclusion (LFI) flaw within the WP Travel Gutenberg Blocks plugin. It stems from the application's failure to properly sanitize user-supplied input that is used to construct a file path for a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a malicious request containing path traversal sequences (e.g., ../) to navigate the server's file system and include arbitrary local files. This could allow the attacker to read sensitive files like wp-config.php, /etc/passwd, or other application source code and configuration files, leading to sensitive information disclosure.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have significant business consequences, including the theft of sensitive data such as customer information, intellectual property, and system credentials. This can lead to a severe data breach, resulting in financial loss, regulatory fines (e.g., under GDPR or CCPA), and significant damage to the organization's reputation. A successful attack could also serve as a stepping stone for further intrusions into the network, potentially leading to a complete system compromise.

Immediate Action: Organizations must apply the security updates provided by the vendor across all affected installations immediately. Before deployment to production, patches should be tested in a staging environment to ensure compatibility. Concurrently, security teams should begin actively monitoring web server access logs for any signs of exploitation attempts targeting this vulnerability.

Proactive Monitoring: Review web server and application logs for suspicious requests containing directory traversal patterns (e.g., ../, %2e%2e%2f) in parameters associated with the WP Travel plugin. Implement and monitor alerts from a Web Application Firewall (WAF) for rules designed to detect and block Local File Inclusion attacks. Monitor for unexpected read access to sensitive system files by the web server user account.

Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:

• Deploy a Web Application Firewall (WAF) with strict rules to block LFI attack patterns.
• If the "WP Travel Gutenberg Blocks" plugin is not essential, disable it until a patch can be applied.
• Harden the server's PHP configuration by restricting file access with open_basedir and ensuring allow_url_include is disabled.
• Enforce the principle of least privilege by ensuring the web server process has read access only to the files and directories it absolutely needs.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the potential for sensitive data exposure, we strongly recommend that organizations prioritize the immediate application of vendor-supplied patches. Although this CVE is not currently listed on the CISA KEV catalog, its severity and the widespread use of WordPress make it a highly attractive target for attackers. Organizations should treat this as a critical vulnerability and expedite remediation efforts while actively monitoring for any signs of attempted or successful exploitation.