Cyber Resilience

CVE-2025-1771

Critical

Published: 15 March 2025

Published
15 March 2025
Modified
28 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 33.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1771 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Shinecommerce Traveler. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Traveler theme for WordPress is vulnerable to local file inclusion in all versions through 3.1.8. The flaw exists in the hotel_alone_load_more_post function's handling of the style parameter, which permits inclusion and execution of arbitrary server-side files and therefore any PHP code contained in them.

Unauthenticated attackers can exploit the issue over the network by supplying a crafted style value. Successful exploitation can bypass access controls, disclose sensitive data, or yield remote code execution when an attacker can first upload a PHP file that is later included.

The referenced changelog at travelerwp.com and the Wordfence advisory provide the primary sources for mitigation guidance and patch availability.

EPSS for the CVE rose from a low baseline to a peak of 0.0114 on 2026-01-13 before receding, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the…

more

server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI in public-facing WordPress app enables T1190 for remote exploitation; arbitrary file inclusion facilitates T1005 for local data access and T1100 for RCE via PHP web shell inclusion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12563Shared CWE-98
CVE-2025-69072Shared CWE-98
CVE-2026-32364Shared CWE-98
CVE-2026-39681Shared CWE-98
CVE-2025-68537Shared CWE-98
CVE-2026-28079Shared CWE-98
CVE-2026-28061Shared CWE-98
CVE-2026-28048Shared CWE-98
CVE-2026-22516Shared CWE-98
CVE-2026-28120Shared CWE-98

Affected Assets

shinecommerce
traveler
≤ 3.1.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes the unauthenticated 'style' parameter in the 'hotel_alone_load_more_post' function to block arbitrary local file paths and prevent LFI exploitation.

prevent

Remediates the specific LFI flaw in Traveler theme versions up to 3.1.8 by applying vendor patches from the changelog, eliminating the vulnerable code.

preventdetect

Boundary protection at web interfaces using WAF rules detects and blocks common LFI payloads targeting the 'style' parameter.

References