Wptravelengine Wp Travel Engine
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Wptravelengine Wp Travel Engine.
By the Year
In 2026 there have been 0 vulnerabilities in Wptravelengine Wp Travel Engine. Last year, in 2025 Wp Travel Engine had 4 security vulnerabilities published. Right now, Wp Travel Engine is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 4 | 7.50 |
| 2024 | 5 | 6.40 |
| 2023 | 0 | 0.00 |
| 2022 | 1 | 5.40 |
It may take a day or so for new Wp Travel Engine vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Wptravelengine Wp Travel Engine Security Vulnerabilities
WP Travel Engine <=6.5.1 – Cap Check Missing Lets Unauth Delete Posts
CVE-2025-5282
7.5 - High
- June 13, 2025
The WP Travel Engine Tour Booking Plugin Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
AuthZ
WP Travel Engine <=6.5.1 Improper Filename Control in Include/Require (LFI/RFI)
CVE-2025-49308
- June 06, 2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.5.1.
Remote file include
WP Travel Engine LFI/RFI via include/require before 6.3.5
CVE-2025-30870
- April 01, 2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
Remote file include
WP Travel Engine LFI via improper include control before 6.3.6
CVE-2025-30871
- March 27, 2025
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5.
Remote file include
WP Travel Engine Plugin: Authenticated Contributor-Level Access Can Modify Settings
CVE-2024-10606
4.3 - Medium
- November 23, 2024
The WP Travel Engine Tour Booking Plugin Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to modify several settings that could have an impact such as lost revenue and page updates.
AuthZ
WP Travel Engine <=5.9.1 Stored XSS via Improper Input Neutralization
CVE-2024-37944
5.4 - Medium
- July 20, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Travel Engine allows Stored XSS.This issue affects WP Travel Engine: from n/a through 5.9.1.
XSS
WP Travel Engine Missing Auth Vulnerability Before 5.8.0
CVE-2024-32798
5.3 - Medium
- June 09, 2024
Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0.
AuthZ
WP Travel Engine SQL Injection (pre-5.7.9)
CVE-2024-30504
7.2 - High
- March 29, 2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.
SQL Injection
WP Travel Engine 5.7.9 SQLi - Special Elements Neutralization Issue
CVE-2024-30502
9.8 - Critical
- March 29, 2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9.
SQL Injection
The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages
CVE-2021-24680
5.4 - Medium
- January 03, 2022
The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Wptravelengine Wp Travel Engine or by Wptravelengine? Click the Watch button to subscribe.
