A critical vulnerability has been identified in multiple products from The WP Travel Engine, specifically affecting the Tour Booking Plugin. This flaw allows an unauthenticated attacker to access and read sensitive files on the web server, which could expose confidential data such as database credentials, leading to a full system compromise. Immediate patching is required to mitigate the significant risk of a data breach and server takeover.

The vulnerability is a Local File Inclusion (LFI) flaw within the WP Travel Engine WordPress plugin. An unauthenticated attacker can exploit this by manipulating the mode parameter in a request sent to the application. By using directory traversal techniques (e.g., ../../), the attacker can trick the application into including and displaying the contents of arbitrary files from the server's local file system, such as /etc/passwd or the wp-config.php file containing database credentials.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing an immediate and severe threat to the organization. Successful exploitation could lead to the exposure of highly sensitive information, including database connection strings, application source code, API keys, and other system configuration files. This could result in a complete compromise of the web server, a significant data breach, reputational damage, regulatory fines, and financial loss.

Immediate Action: Immediately update all instances of The WP Travel Engine plugins to the latest patched version as recommended by the vendor. After patching, review web server access logs for any signs of past exploitation attempts targeting this vulnerability.

Proactive Monitoring: Configure security monitoring to detect and alert on suspicious web requests. Specifically, monitor for GET requests containing directory traversal payloads (e.g., ../, %2e%2e%2f) within the mode parameter. Monitor for unusual file access patterns or outbound network connections originating from the web server process.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to block directory traversal attacks. Additionally, enforce strict file permissions on the web server to limit the web server user's access to sensitive system files and directories, reducing the impact of a potential breach.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a full system compromise, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches to all affected systems without delay. Organizations should treat this as a top priority for their patch management cycle. While not yet listed in the CISA KEV catalog, the high severity and potential for widespread impact make proactive remediation essential to prevent future exploitation.