Attack Vectors

Travelicious – Tour Operator WordPress Theme (slug: travelicious) versions earlier than 1.6.7 are affected by CVE-2025-67997, a High severity issue (CVSS 8.1).

The risk is notable because the vulnerability can be reached by unauthenticated attackers over the network, meaning an external party may be able to probe and attempt exploitation without needing a login. The publicly available advisory describes the issue as stemming from deserialization of untrusted input, but does not specify the exact parameter or function.

Security Weakness

This is a PHP Object Injection weakness caused by unsafe handling of serialized data (i.e., the theme processes attacker-controlled input as if it were trustworthy).

On its own, the vulnerable Travelicious versions are reported to have no known “POP chain” present. However, business risk increases if your WordPress site also has another plugin or theme installed that introduces a compatible chain—turning what might be a limited weakness into a pathway for more serious outcomes.

Technical or Business Impacts

If a usable POP chain exists in your environment (from another plugin/theme), this vulnerability could enable outcomes such as arbitrary file deletion, sensitive data access, or even code execution—which can quickly become a full-site compromise.

From a leadership perspective (CEO/COO/CFO/Compliance and Marketing), the impacts can include: brand damage from site defacement, loss of customer trust if personal or booking data is exposed, disruption of lead generation and campaign landing pages, and potential regulatory or contractual reporting obligations depending on what data your WordPress instance stores or transmits.

Remediation: Update Travelicious to version 1.6.7 or a newer patched version as recommended by the vendor/community advisory sources. Track the issue via CVE-2025-67997 and the source advisory from Wordfence Threat Intelligence.

Similar Attacks

PHP Object Injection has affected WordPress ecosystems before. For example, CVE-2019-8942 documented an object injection issue in WordPress core (historically impacting certain versions and workflows). These cases highlight why minimizing unsafe deserialization paths—and keeping themes/plugins updated—matters for both security and business continuity.