CVE-2026-49770

Vulnerability

The WP Travel Engine plugin for WordPress, versions up to and including 6.7.12, is vulnerable to unauthenticated PHP Object Injection. An attacker can inject arbitrary serialized PHP objects via a crafted request, which may lead to remote code execution, SQL injection, path traversal, or denial of service if a suitable POP chain is present. [1]

Exploitation

No authentication is required. An attacker with network access can send a malicious HTTP request containing the serialized payload. The vulnerability is expected to be exploited in mass campaigns, targeting any site running the vulnerable plugin without any prerequisite user interaction. [1]

Impact

Successful exploitation can result in complete compromise of the affected WordPress site, including arbitrary code execution, data leakage, file manipulation, or service disruption, depending on the available POP gadgets. [1]

Mitigation

The vendor has released version 6.8.0 which fixes the vulnerability. Users should update to 6.8.0 or later immediately. For sites that cannot be updated right away, Patchstack provides a virtual patch mitigation rule to block attacks until the update is applied. [1]