Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total5
Critical2
High1
Medium2
Reset
Showing 1-5 of 5 records
Threat Entry Updated 2025-10-09

CVE-2025-7634 - Wp Travel Engine Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

PLUGIN Wp Travel Engine

CVE-2025-7634

CRITICAL CVSS 9.8 2025-10-09
Open Full Technical Breakdown
Threat Entry Updated 2025-10-09

CVE-2025-7526 - Wp Travel Engine Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Wp Travel Engine

CVE-2025-7526

CRITICAL CVSS 9.8 2025-10-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-5282 - Wp Travel Engine Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.

PLUGIN Wp Travel Engine

CVE-2025-5282

HIGH CVSS 7.5 2025-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-10606 - Wp Travel Engine Plugin

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpte_onboard_save_function_callback() function in all versions up to, and including, 6.2.1. This makes it possible for authenticated attackers, with contributor-level access and above, to modify several settings that could have an impact such as lost revenue and page updates.

PLUGIN Wp Travel Engine

CVE-2024-10606

MEDIUM CVSS 4.3 2024-11-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24680 - Wp Travel Engine Plugin

The WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed

PLUGIN Wp Travel Engine

CVE-2021-24680

MEDIUM CVSS 5.4 2022-01-03
Open Full Technical Breakdown
Scroll to top