EUVD-2025-18242
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Description
The WP Travel Engine - Tour Booking Plugin - Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
Analysis
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.
Technical Context
The vulnerability exists in the WP Travel Engine Tour Booking Plugin (CPE: wp:wp_travel_engine), a WordPress plugin that provides tour operator booking functionality. The root cause is classified under CWE-862 (Missing Authorization), specifically the absence of WordPress capability checks (such as current_user_can() validation) in the delete_package() AJAX or REST endpoint handler. WordPress plugins typically implement authorization through capability verification before executing privileged operations. The delete_package() function fails to validate that the requesting user possesses administrative capabilities or is even authenticated, allowing the function to process deletion requests from any network source. This is a common class of vulnerability in WordPress plugins where AJAX endpoints or REST routes are exposed without proper nonce validation and capability checks.
Affected Products
WP Travel Engine – Tour Booking Plugin – Tour Operator Software (wp:wp_travel_engine): All versions up to and including 6.5.1. Affected installations: Any WordPress site running WP Travel Engine version ≤ 6.5.1. The vulnerability affects the core plugin codebase and does not appear to be limited by configuration, theme, or complementary plugin presence. WordPress installations of any version (5.x through latest) running this plugin are at risk. No vendor advisory links were provided in the CVE data, but users should consult the WordPress Plugin Repository and WP Travel Engine official channels for patch availability.
Remediation
Immediate actions: (1) Update WP Travel Engine plugin to version 6.5.2 or later if available (check WordPress Plugin Repository or official WP Travel Engine website for patched versions); (2) If no patch is immediately available, disable the WP Travel Engine plugin until a security update is released; (3) Review WordPress audit logs for unauthorized deletion activity prior to patch deployment, particularly focusing on posts of type 'package' or related custom post types. Workarounds (temporary): Implement Web Application Firewall (WAF) rules to block requests to the delete_package() endpoint from unauthenticated sources; restrict plugin functionality through access control lists if the site infrastructure supports it. Long-term: After patching, audit other plugin functions for similar missing capability checks; implement security scanning tools (e.g., Wordfence, Sucuri) to detect similar vulnerabilities proactively.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today