EUVD-2026-36893
GHSA-hmxm-j74j-wr83
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description explicitly states unauthenticated PHP Object Injection (PR:N, UI:N, AV:N); deserialization-to-RCE yields full C/I/A impact within the WordPress process scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
AnalysisAI
Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of the WP Travel Engine plugin on any WordPress site running version 6.7.12 or earlier, consistent with the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point to high real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker scans the internet for WordPress sites running WP Travel Engine, identifies a vulnerable endpoint that accepts serialized input (typically a POST parameter, cookie, or AJAX action handler), and submits a crafted serialized payload chaining gadgets to write a PHP webshell into the wp-content directory or trigger arbitrary code execution. The attacker then uses the webshell to dump wp_users credentials, pivot to the underlying host, or deploy SEO spam and cryptominers. … |
| Remediation | Patch available per vendor advisory - upgrade the WP Travel Engine plugin to a version newer than 6.7.12 as published on the WordPress.org plugin repository; consult https://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-6-7-12-php-object-injection-vulnerability for the fixed-release number, which was not explicitly provided in the input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations to identify WP Travel Engine plugin presence and version; document affected environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today