Wp Travel Engine
Monthly
Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin ecosystem make this a high-priority patching target for travel-booking sites.
Improper input validation in the WP Travel Engine WordPress plugin (versions 6.7.10 and earlier) allows remote unauthenticated attackers to tamper with integrity-sensitive data over the network with low complexity. The Patchstack-reported issue carries a CVSS 7.5 driven entirely by high integrity impact (I:H) with no confidentiality or availability effect, and no public exploit identified at time of analysis. Despite the 'Information Disclosure' tag inherited from the plugin context, the CVSS vector points to an integrity-affecting weakness rather than data leakage.
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.
Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin ecosystem make this a high-priority patching target for travel-booking sites.
Improper input validation in the WP Travel Engine WordPress plugin (versions 6.7.10 and earlier) allows remote unauthenticated attackers to tamper with integrity-sensitive data over the network with low complexity. The Patchstack-reported issue carries a CVSS 7.5 driven entirely by high integrity impact (I:H) with no confidentiality or availability effect, and no public exploit identified at time of analysis. Despite the 'Information Disclosure' tag inherited from the plugin context, the CVSS vector points to an integrity-affecting weakness rather than data leakage.
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.