Filtered by vendor Wptravelengine
Subscriptions
Filtered by product Wp Travel Engine
Subscriptions
Total
12 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7526 | 2 Wordpress, Wptravelengine | 2 Wordpress, Wp Travel Engine | 2025-10-09 | 9.8 Critical |
| The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-7634 | 2 Wordpress, Wptravelengine | 2 Wordpress, Wp Travel Engine | 2025-10-09 | 9.8 Critical |
| The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | ||||
| CVE-2025-59574 | 2 Wordpress, Wptravelengine | 2 Wordpress, Wp Travel Engine | 2025-09-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Travel Engine WP Travel Engine allows Stored XSS. This issue affects WP Travel Engine: from n/a through 1.4.2. | ||||
| CVE-2025-5282 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-07-10 | 7.5 High |
| The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts. | ||||
| CVE-2025-30871 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-06-09 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5. | ||||
| CVE-2025-30870 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-05-27 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine allows PHP Local File Inclusion. This issue affects WP Travel Engine: from n/a through 6.3.5. | ||||
| CVE-2024-37944 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-11 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Travel Engine allows Stored XSS.This issue affects WP Travel Engine: from n/a through 5.9.1. | ||||
| CVE-2024-10606 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-11 | 4.3 Medium |
| The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to modify several settings that could have an impact such as lost revenue and page updates. | ||||
| CVE-2024-30502 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-11 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9. | ||||
| CVE-2024-30504 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-11 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.7.9. | ||||
| CVE-2024-32798 | 1 Wptravelengine | 1 Wp Travel Engine | 2025-02-10 | 7.5 High |
| Missing Authorization vulnerability in WP Travel Engine.This issue affects WP Travel Engine: from n/a through 5.8.0. | ||||
| CVE-2021-24680 | 1 Wptravelengine | 1 Wp Travel Engine | 2024-11-21 | 5.4 Medium |
| The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed | ||||
Page 1 of 1.