Threat Entry Updated 2026-04-07

CVE-2026-2437 - Tour Operator Software Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tour Operator Software

CVE-2026-2437

MEDIUM CVSS 6.4 2026-04-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-10-09

CVE-2025-7634 - Tour Operator Software Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

PLUGIN Tour Operator Software

CVE-2025-7634

CRITICAL CVSS 9.8 2025-10-09

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-10-09

CVE-2025-7526 - Tour Operator Software Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Tour Operator Software

CVE-2025-7526

CRITICAL CVSS 9.8 2025-10-09

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-10

CVE-2025-5282 - Tour Operator Software Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.

PLUGIN Tour Operator Software

CVE-2025-5282

HIGH CVSS 7.5 2025-06-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-11

CVE-2024-10606 - Tour Operator Software Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to modify several settings that could have an impact such as lost revenue and page updates.

PLUGIN Tour Operator Software

CVE-2024-10606

MEDIUM CVSS 4.3 2024-11-23

Risk Score

Open Full Technical Breakdown