cbcvebase.

Wptravelengine Wp Travel Engine vulnerabilities

9 known vulnerabilities affecting wptravelengine/wp_travel_engine.

Total CVEs
9
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2024-30502P2CRITICALCVSS 9.8PoCfixed in 5.8.02024-03-29
CVE-2024-30502 [CRITICAL] CWE-89 CVE-2024-30502: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.
nvd
CVE-2025-30870P3CRITICALCVSS 9.8fixed in 6.3.62025-04-01
CVE-2025-30870 [CRITICAL] CWE-98 CVE-2025-30870: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
nvd
CVE-2025-5282P3HIGHCVSS 7.5fixed in 6.5.22025-06-13
CVE-2025-5282 [HIGH] CWE-862 CVE-2025-5282: The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerab The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
nvd
CVE-2025-30871P3HIGHCVSS 7.5fixed in 6.3.62025-03-27
CVE-2025-30871 [HIGH] CWE-98 CVE-2025-30871: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
nvd
CVE-2024-30504P3HIGHCVSS 7.2fixed in 5.8.02024-03-29
CVE-2024-30504 [HIGH] CWE-89 CVE-2024-30504: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.
nvd
CVE-2024-32798P4MEDIUMCVSS 5.3fixed in 5.8.12024-06-09
CVE-2024-32798 [MEDIUM] CWE-862 CVE-2024-32798: Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/ Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0.
nvd
CVE-2021-24680P4MEDIUMCVSS 5.4fixed in 5.3.12022-01-03
CVE-2021-24680 [MEDIUM] CWE-79 CVE-2021-24680: The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed
nvd
CVE-2024-37944P4MEDIUMCVSS 5.4fixed in 5.9.22024-07-20
CVE-2024-37944 [MEDIUM] CWE-79 CVE-2024-37944: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Travel Engine allows Stored XSS.This issue affects WP Travel Engine: from n/a through 5.9.1.
nvd
CVE-2024-10606P4MEDIUMCVSS 4.3fixed in 6.2.22024-11-23
CVE-2024-10606 [MEDIUM] CWE-862 CVE-2024-10606: The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerab The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level acc
nvd
Wptravelengine Wp Travel Engine vulnerabilities | cvebase