CVE Catalog

CVE-2025-69133

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Summary

The Tourmaster plugin version 5.4.5 and earlier contains a Local File Inclusion (LFI) vulnerability exploitable by a subscriber. An authenticated user with the subscriber role can read arbitrary files on the server.

Risk Assessment

An attacker can access sensitive configuration files, passwords, or user data, leading to confidentiality breach and potential privilege escalation.

Recommendation

Immediately update the Tourmaster plugin to the latest available version that fixes this vulnerability. If an update is not possible, temporarily disable the plugin or restrict access to it.

Original NVD description (English source)

Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS