Wptravelengine Wp Travel Engine vulnerabilities
9 known vulnerabilities affecting wptravelengine/wp_travel_engine.
Total CVEs
9
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2024-30502P2CRITICALCVSS 9.8PoCfixed in 5.8.02024-03-29
CVE-2024-30502 [CRITICAL] CWE-89 CVE-2024-30502: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.
nvd
CVE-2025-30870P3CRITICALCVSS 9.8fixed in 6.3.62025-04-01
CVE-2025-30870 [CRITICAL] CWE-98 CVE-2025-30870: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
nvd
CVE-2025-5282P3HIGHCVSS 7.5fixed in 6.5.22025-06-13
CVE-2025-5282 [HIGH] CWE-862 CVE-2025-5282: The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerab
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
nvd
CVE-2025-30871P3HIGHCVSS 7.5fixed in 6.3.62025-03-27
CVE-2025-30871 [HIGH] CWE-98 CVE-2025-30871: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
nvd
CVE-2024-30504P3HIGHCVSS 7.2fixed in 5.8.02024-03-29
CVE-2024-30504 [HIGH] CWE-89 CVE-2024-30504: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.
nvd
CVE-2024-32798P4MEDIUMCVSS 5.3fixed in 5.8.12024-06-09
CVE-2024-32798 [MEDIUM] CWE-862 CVE-2024-32798: Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/
Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0.
nvd
CVE-2021-24680P4MEDIUMCVSS 5.4fixed in 5.3.12022-01-03
CVE-2021-24680 [MEDIUM] CWE-79 CVE-2021-24680: The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip
The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed
nvd
CVE-2024-37944P4MEDIUMCVSS 5.4fixed in 5.9.22024-07-20
CVE-2024-37944 [MEDIUM] CWE-79 CVE-2024-37944: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Travel Engine allows Stored XSS.This issue affects WP Travel Engine: from n/a through 5.9.1.
nvd
CVE-2024-10606P4MEDIUMCVSS 4.3fixed in 6.2.22024-11-23
CVE-2024-10606 [MEDIUM] CWE-862 CVE-2024-10606: The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerab
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level acc
nvd