VYPR

Wp Travel Engine

by WordPress

Source repositories

CVEs (11)

  • CVE-2026-49770CriJun 15, 2026
    risk 0.64cvss 9.8epss 0.00

    Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.

  • CVE-2025-7634CriOct 9, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute…

  • CVE-2025-7526CriOct 9, 2025
    risk 0.64cvss 9.8epss 0.01

    The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This…

  • CVE-2024-30502CriMar 29, 2024
    risk 0.62cvss 9.3epss 0.02

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.

  • CVE-2026-49078HigJun 15, 2026
    risk 0.49cvss 7.5epss 0.00

    Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions.

  • CVE-2025-49308HigJun 6, 2025
    risk 0.49cvss 7.5epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.5.1.

  • CVE-2024-30504HigMar 29, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.

  • CVE-2026-2437MedApr 4, 2026
    risk 0.35cvss 6.4epss 0.00

    The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output…

  • CVE-2025-5282Jun 13, 2025
    risk 0.00cvss epss 0.00

    The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for…

  • CVE-2024-10606Nov 23, 2024
    risk 0.00cvss epss 0.00

    The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1.…

  • CVE-2021-24680Jan 3, 2022
    risk 0.00cvss epss 0.01

    The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the…