Wptravelengine
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Wptravelengine product.
RSS Feeds for Wptravelengine security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Wptravelengine products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Wptravelengine Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 3 vulnerabilities in Wptravelengine with an average score of 5.7 out of ten. Last year, in 2025 Wptravelengine had 7 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Wptravelengine in 2026 could surpass last years number. Last year, the average CVE base score was greater by 2.18
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 3 | 5.67 |
| 2025 | 7 | 7.85 |
| 2024 | 7 | 6.73 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 5.40 |
It may take a day or so for new Wptravelengine vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Wptravelengine Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-2437 | Apr 04, 2026 |
WP Travel Engine 6.7.5 XSS via wte_trip_tax Shortcode (contrib+)The WP Travel Engine Tour Booking Plugin Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
|
| CVE-2026-32486 | Mar 13, 2026 |
Missing Auth in WP Travel Engine <=1.3.9Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9. |
Travel Booking
|
| CVE-2026-24607 | Jan 23, 2026 |
Travel Monster <=1.3.3 Missing Auth (wptravelengine)Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Monster: from n/a through <= 1.3.3. |
Travel Monster
|
| CVE-2025-7634 | Oct 09, 2025 |
WP Travel Engine Plugin LFI Vulnerability (6.6.7)The WP Travel Engine Tour Booking Plugin Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. |
|
| CVE-2025-7526 | Oct 09, 2025 |
WP Travel Engine 6.6.7: Arbitrary File Delete via set_user_profile_imageThe WP Travel Engine Tour Booking Plugin Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). |
|
| CVE-2025-5282 | Jun 13, 2025 |
WP Travel Engine <=6.5.1 – Cap Check Missing Lets Unauth Delete PostsThe WP Travel Engine Tour Booking Plugin Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts. |
Wp Travel Engine
|
| CVE-2025-49308 | Jun 06, 2025 |
WP Travel Engine <=6.5.1 Improper Filename Control in Include/Require (LFI/RFI)Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.5.1. |
Wp Travel Engine
|
| CVE-2025-30870 | Apr 01, 2025 |
WP Travel Engine LFI/RFI via include/require before 6.3.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5. |
Wp Travel Engine
|
| CVE-2025-30871 | Mar 27, 2025 |
WP Travel Engine LFI via improper include control before 6.3.6Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5. |
Wp Travel Engine
|
| CVE-2024-37272 | Jan 02, 2025 |
Travel Monster 1.1.2 WP Travel Engine CSRFCross-Site Request Forgery (CSRF) vulnerability in wptravelengine Travel Monster travel-monster allows Cross Site Request Forgery.This issue affects Travel Monster: from n/a through <= 1.1.2. |
Travel Monster
|