Traveler
Monthly
HCL Traveler contains a weak default HTTP header validation vulnerability (CWE-346) that allows authenticated attackers to bypass additional authentication checks and gain unauthorized access to sensitive functionality. The vulnerability affects HCL Traveler across multiple versions and requires only network access and valid credentials to exploit. While the CVSS score is moderate (6.3) and no active exploitation in the wild has been documented in KEV databases, the authentication bypass nature of this issue presents a real risk to organizations relying on Traveler for secure communications.
HCL Traveler contains a sensitive information disclosure vulnerability where error messages expose internal system details including file paths, tokens, credentials, and stack traces. This affects all versions of HCL Traveler as indicated by the CPE string, and requires authenticated access (PR:L) to exploit but can be leveraged by low-privilege users to reconnaissance the application architecture for follow-up attacks. With a CVSS score of 4.3 and confidentiality impact rated as LOW, this is a moderate information disclosure issue that lowers the bar for subsequent targeted attacks rather than directly compromising systems.
A critical PHP object injection vulnerability exists in the Shinetheme Traveler WordPress theme due to insecure deserialization of untrusted data. This affects all versions prior to 3.2.8.1 and allows unauthenticated remote attackers to execute arbitrary code, compromise data confidentiality and integrity, and cause denial of service. The vulnerability has been publicly disclosed through Patchstack's database, though no active exploitation (KEV listing) or EPSS score data is currently available.
HCL Traveler generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
HCL Traveler is affected by an internal path disclosure in a Windows application when the application inadvertently reveals internal file paths, in error messages, debug logs, or responses to user. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
HCL Traveler contains a weak default HTTP header validation vulnerability (CWE-346) that allows authenticated attackers to bypass additional authentication checks and gain unauthorized access to sensitive functionality. The vulnerability affects HCL Traveler across multiple versions and requires only network access and valid credentials to exploit. While the CVSS score is moderate (6.3) and no active exploitation in the wild has been documented in KEV databases, the authentication bypass nature of this issue presents a real risk to organizations relying on Traveler for secure communications.
HCL Traveler contains a sensitive information disclosure vulnerability where error messages expose internal system details including file paths, tokens, credentials, and stack traces. This affects all versions of HCL Traveler as indicated by the CPE string, and requires authenticated access (PR:L) to exploit but can be leveraged by low-privilege users to reconnaissance the application architecture for follow-up attacks. With a CVSS score of 4.3 and confidentiality impact rated as LOW, this is a moderate information disclosure issue that lowers the bar for subsequent targeted attacks rather than directly compromising systems.
A critical PHP object injection vulnerability exists in the Shinetheme Traveler WordPress theme due to insecure deserialization of untrusted data. This affects all versions prior to 3.2.8.1 and allows unauthenticated remote attackers to execute arbitrary code, compromise data confidentiality and integrity, and cause denial of service. The vulnerability has been publicly disclosed through Patchstack's database, though no active exploitation (KEV listing) or EPSS score data is currently available.
HCL Traveler generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
HCL Traveler is affected by an internal path disclosure in a Windows application when the application inadvertently reveals internal file paths, in error messages, debug logs, or responses to user. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.