EUVD-2025-18242Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
The WP Travel Engine - Tour Booking Plugin - Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
AnalysisAI
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.
Technical ContextAI
The vulnerability exists in the WP Travel Engine Tour Booking Plugin (CPE: wp:wp_travel_engine), a WordPress plugin that provides tour operator booking functionality. The root cause is classified under CWE-862 (Missing Authorization), specifically the absence of WordPress capability checks (such as current_user_can() validation) in the delete_package() AJAX or REST endpoint handler. WordPress plugins typically implement authorization through capability verification before executing privileged operations. The delete_package() function fails to validate that the requesting user possesses administrative capabilities or is even authenticated, allowing the function to process deletion requests from any network source. This is a common class of vulnerability in WordPress plugins where AJAX endpoints or REST routes are exposed without proper nonce validation and capability checks.
RemediationAI
Immediate actions: (1) Update WP Travel Engine plugin to version 6.5.2 or later if available (check WordPress Plugin Repository or official WP Travel Engine website for patched versions); (2) If no patch is immediately available, disable the WP Travel Engine plugin until a security update is released; (3) Review WordPress audit logs for unauthorized deletion activity prior to patch deployment, particularly focusing on posts of type 'package' or related custom post types. Workarounds (temporary): Implement Web Application Firewall (WAF) rules to block requests to the delete_package() endpoint from unauthenticated sources; restrict plugin functionality through access control lists if the site infrastructure supports it. Long-term: After patching, audit other plugin functions for similar missing capability checks; implement security scanning tools (e.g., Wordfence, Sucuri) to detect similar vulnerabilities proactively.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today