What is the CVSS score of EUVD-2026-36877?

EUVD-2026-36877 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. EPSS exploitation probability: 0.3%.

Which versions of WP Travel Engine are affected by EUVD-2026-36877?

WP Travel Engine plugin versions 6.7.10 and earlier contain an input validation flaw enabling unauthenticated attackers to modify integrity-sensitive data such as booking records, customer…

How to fix or mitigate EUVD-2026-36877?

Within 24 hours: Audit all WordPress installations for WP Travel Engine deployment and document affected versions. Within 7 days: Either disable the plugin if not mission-critical, or implement Web Application Firewall (WAF) rules to reject malformed input, restrict plugin endpoints to authenticated administrators only via reverse proxy or .htaccess rules, and enable detailed audit logging on booking and customer data modifications. Within 30 days: Monitor WordPress plugin repository and Patchstack advisory for vendor patch release; upon availability, test in staging environment and deploy to patched version immediately.

WP Travel Engine EUVD-2026-36877

| CVE-2026-49078 HIGH

Improper Validation of Specified Quantity in Input (CWE-1284)

2026-06-15 Patchstack

GHSA-7cq3-5g9g-7w8q

Information Disclosure Wp Travel Engine

7.5

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

vuln.today AI

7.5 HIGH

Plugin endpoint reachable over the web with no auth or interaction (AV:N/AC:L/PR:N/UI:N); CWE-1284 input-validation flaw enables data tampering only, so I:H with C:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 15, 2026 - 21:37 vuln.today

DescriptionCVE.org

Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions.

AnalysisAI

Improper input validation in the WP Travel Engine WordPress plugin (versions 6.7.10 and earlier) allows remote unauthenticated attackers to tamper with integrity-sensitive data over the network with low complexity. The Patchstack-reported issue carries a CVSS 7.5 driven entirely by high integrity impact (I:H) with no confidentiality or availability effect, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify WordPress site running WP Travel Engine ≤ 6.7.10

Delivery

Send crafted HTTP request to vulnerable plugin endpoint

Exploit

Bypass quantity/input validation (CWE-1284)

Execution

Tamper with stored plugin data or state

Impact

Manipulate bookings or trip records for fraud or defacement

Access

Identify WordPress site running WP Travel Engine ≤ 6.7.10

Delivery

Send crafted HTTP request to vulnerable plugin endpoint

Exploit

Bypass quantity/input validation (CWE-1284)

Execution

Tamper with stored plugin data or state

Impact

Manipulate bookings or trip records for fraud or defacement

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default configurations of the WP Travel Engine WordPress plugin at version 6.7.10 or earlier, reachable over HTTP/HTTPS on a publicly accessible WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N describes a fully remote, low-complexity, no-auth, no-interaction integrity-only attack - the worst possible exposure profile short of full triad impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans the internet for WordPress sites exposing WP Travel Engine endpoints (identifiable via /wp-content/plugins/wp-travel-engine/ asset paths or REST routes) and sends a crafted HTTP request to the vulnerable handler containing malformed quantity or identifier parameters. Because no authentication or user interaction is required, the attacker successfully tampers with stored data - for example, modifying bookings, trip prices, or plugin state - without ever logging in. …
Remediation	Upstream fix available per Patchstack; released patched version not independently confirmed in the supplied data - administrators should consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wp-travel-engine/vulnerability/wordpress-wp-travel-engine-plugin-6-7-10-other-vulnerability-type-vulnerability and upgrade WP Travel Engine to the latest version above 6.7.10 via the WordPress plugin dashboard. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for WP Travel Engine deployment and document affected versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-36877 vulnerability details – vuln.today

Back

WP Travel Engine EUVD-2026-36877

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code