CVE-2026-49078

Vulnerability

WP Travel Engine plugin for WordPress contains an unauthenticated vulnerability in versions up to and including 6.7.10. The exact nature of the flaw is described as "Other Vulnerability Type" in the official advisory, but it is remotely exploitable without authentication and has a CVSS score of 7.5 [1]. The vulnerability is present in the plugin's code and does not require any special configuration to reach the vulnerable code path.

Exploitation

An attacker can exploit this vulnerability without any authentication by sending specially crafted requests to a WordPress site running a vulnerable version of the WP Travel Engine plugin. The attack is conducted over the network and does not require user interaction or elevated privileges. The reference notes that vulnerabilities like this are actively used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation can lead to full compromise of the affected WordPress site, potentially allowing the attacker to achieve arbitrary actions such as data theft, defacement, or further propagation of attacks. The CVSS score of 7.5 indicates high severity, affecting confidentiality, integrity, and/or availability, though the exact impact is not further detailed in the available references [1].

Mitigation

The recommended mitigation is to update the WP Travel Engine plugin to a version newer than 6.7.10 as soon as possible. The Patchstack advisory urges immediate action, especially since this vulnerability is known to be targeted in mass-exploit campaigns [1]. If an update is not immediately possible, users should seek assistance from hosting providers or web developers to apply temporary measures, though no specific workaround is provided.