CVE-2025-1771
Published: 15 March 2025
Summary
CVE-2025-1771 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Shinecommerce Traveler. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Traveler theme for WordPress is vulnerable to local file inclusion in all versions through 3.1.8. The flaw exists in the hotel_alone_load_more_post function's handling of the style parameter, which permits inclusion and execution of arbitrary server-side files and therefore any PHP code contained in them.
Unauthenticated attackers can exploit the issue over the network by supplying a crafted style value. Successful exploitation can bypass access controls, disclose sensitive data, or yield remote code execution when an attacker can first upload a PHP file that is later included.
The referenced changelog at travelerwp.com and the Wordfence advisory provide the primary sources for mitigation guidance and patch availability.
EPSS for the CVE rose from a low baseline to a peak of 0.0114 on 2026-01-13 before receding, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6630
Vulnerability details
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…
more
server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress app enables T1190 for remote exploitation; arbitrary file inclusion facilitates T1005 for local data access and T1100 for RCE via PHP web shell inclusion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates and sanitizes the unauthenticated 'style' parameter in the 'hotel_alone_load_more_post' function to block arbitrary local file paths and prevent LFI exploitation.
Remediates the specific LFI flaw in Traveler theme versions up to 3.1.8 by applying vendor patches from the changelog, eliminating the vulnerable code.
Boundary protection at web interfaces using WAF rules detects and blocks common LFI payloads targeting the 'style' parameter.