CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5282 – WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
https://notcve.org/view.php?id=CVE-2025-5282
12 Jun 2025 — The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts. • https://plugins.trac.wordpress.org/changeset/3305447/wp-travel-engine/tags/6.5.2/includes/classes/Core/Controllers/RestAPI/V2/Trip.php • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12272 – WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor <= 1.3.7 - Authenticated (Contributor+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-12272
24 Dec 2024 — The WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.7 via several widgets. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code ... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3212458%40wte-elementor-widgets&new=3212458%40wte-elementor-widgets&sfp_email=&sfph_mail= • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10606 – WP Travel Engine <= 6.2.1 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update
https://notcve.org/view.php?id=CVE-2024-10606
22 Nov 2024 — The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to modify several settings that could have an impact such as lost revenue and page updates. • https://plugins.trac.wordpress.org/changeset/3193913/wp-travel-engine/tags/6.2.2/includes/class-wp-travel-engine-onboard.php • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 425EXPL: 0CVE-2022-4974 – Freemius SDK <= 2.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2022-4974
04 Mar 2022 — The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. • https://www.wordfence.com/threat-intel/vulnerabilities/id/39fb0499-9ab4-4a2f-b0db-ece86bcf4d42?source=cve • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24680 – WP Travel Engine < 5.3.1 - Editor+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24680
01 Dec 2021 — The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed El plugin WP Travel Engine de WordPress versiones anteriores a 5.3.1, no escapa del campo Description field en las páginas Trip Destination/Activities/Trip Type y Pricing Category, permitiendo a usuarios... • https://wpscan.com/vulnerability/30f2a0d5-7959-436c-9860-2535020e82d3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •