Wp Travel
by WordPress
Source repositories
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-4290 | Cri | 0.59 | 9.1 | 0.00 | May 29, 2026 | The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and… | ||
| CVE-2026-45218 | Hig | 0.50 | 7.7 | 0.00 | May 12, 2026 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0. | ||
| CVE-2025-22691 | Hig | 0.49 | 7.6 | 0.00 | Feb 3, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows SQL Injection.This issue affects WP Travel: from n/a through <= 10.1.3. | ||
| CVE-2023-47224 | Hig | 0.49 | 7.5 | 0.00 | Jan 2, 2025 | Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 7.8.0. | ||
| CVE-2024-53813 | Med | 0.42 | 6.5 | 0.00 | Dec 6, 2024 | Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 9.6.0. | ||
| CVE-2024-44039 | Med | 0.38 | 5.9 | 0.00 | Oct 6, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Travel WP Travel wp-travel allows Stored XSS.This issue affects WP Travel: from n/a through <= 9.3.1. | ||
| CVE-2024-12067 | Med | 0.35 | 6.5 | 0.00 | Jan 9, 2025 | The WP Travel – Ultimate Travel Booking System, Tour Management Engine plugin for WordPress is vulnerable to SQL Injection via the 'booking_itinerary' parameter of the 'wptravel_get_booking_data' function in all versions up to, and including, 10.0.0 due to insufficient… | ||
| CVE-2021-4389 | Med | 0.21 | 4.3 | 0.00 | Jul 1, 2023 | The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata… |
- risk 0.59cvss 9.1epss 0.00
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and…
- risk 0.50cvss 7.7epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0.
- risk 0.49cvss 7.6epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows SQL Injection.This issue affects WP Travel: from n/a through <= 10.1.3.
- risk 0.49cvss 7.5epss 0.00
Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 7.8.0.
- risk 0.42cvss 6.5epss 0.00
Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 9.6.0.
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Travel WP Travel wp-travel allows Stored XSS.This issue affects WP Travel: from n/a through <= 9.3.1.
- risk 0.35cvss 6.5epss 0.00
The WP Travel – Ultimate Travel Booking System, Tour Management Engine plugin for WordPress is vulnerable to SQL Injection via the 'booking_itinerary' parameter of the 'wptravel_get_booking_data' function in all versions up to, and including, 10.0.0 due to insufficient…
- risk 0.21cvss 4.3epss 0.00
The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata…