CVE-2025-48292: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-48292) was discovered in GoodLayers Tourmaster plugin versions through 5.3.8. The vulnerability was disclosed on May 21, 2025, and affects the WordPress plugin's file inclusion mechanism. This security flaw is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) (Patchstack).

The vulnerability is rated as High severity with a CVSS v3.1 base score of 8.1. The attack vector is Network-based (AV:N) with High complexity (AC:H), requiring No privileges (PR:N) and No user interaction (UI:N). The scope is Unchanged (S:U) with potential High impacts on Confidentiality, Integrity, and Availability (C:H/I:H/A:H) (NVD, Patchstack).

The vulnerability could allow an unauthenticated attacker to include local files of the target website and display their contents. This could potentially expose sensitive information such as database credentials, depending on the configuration, which could lead to complete database compromise (Patchstack).

The vulnerability has been fixed in version 5.3.9 of the Tourmaster plugin. Users are advised to update to version 5.3.9 or later immediately. For users of Patchstack, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update to a fixed version can be completed (Patchstack).