Wordfence disclosed two security vulnerabilities in WP Travel Engine, a WordPress travel booking plugin with more than 20,000 active installations. The issues involve an unauthenticated local file inclusion and an authenticated arbitrary file deletion flaw.
Key details
- Affected product: WP Travel Engine - Tour Booking Plugin for WordPress, listed with 20,000+ active installs on WordPress.org.
- Unauthenticated local file inclusion: Exploitable via a mode parameter, allowing inclusion and execution of PHP files. Rated critical with a CVSS score of 9.8. See the Wordfence advisory.
- Authenticated arbitrary file deletion: Requires at least subscriber-level access and abuses file renaming in the set_user_profile_image function to delete arbitrary files. See the Wordfence advisory.
- Impacted versions: Up to and including 6.6.7. Wordfence attributes unauthenticated exploitation to the LFI issue only.
Why it matters
WP Travel Engine powers itinerary management, package selection, and bookings for travel sites. An unauthenticated LFI can expose code execution paths, while arbitrary file deletion can disrupt operations by removing critical files.
Recommended actions
- Update WP Travel Engine to the latest available version via the WordPress.org plugin page.
- Audit recent logs for suspicious requests touching plugin endpoints or unexpected file changes.
- Restrict or moderate new user registrations to reduce subscriber-level abuse potential until fully patched.
- Ensure you have recent backups and a web application firewall in place.
.svg)
.svg)
.svg)