WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Wordfence Intelligence   >   Vulnerability Database   >   WordPress Plugins   >   WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Information

Software Type Plugin
Software Slug wp-travel-engine (view on wordpress.org)
Software Status Active
Software Author wptravelengine
Software Website wordpress.org
Software Downloads 1,114,969
Software Active Installs 20,000
Software Record Last Updated June 18, 2026

17 Vulnerabilities

Submit a Vulnerability
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.10 - Missing Authorization
5.3
CVE-2026-49078
Jun 5, 2026
Researcher: dodoh4t
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.12 - Unauthenticated PHP Object Injection
8.1
CVE-2026-49770
Jun 4, 2026
Researcher: daroo
WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode
6.4
CVE-2026-2437
Apr 3, 2026
Researcher: Muhammad Yudha - DJ
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Unauthenticated Local File Inclusion
9.8
CVE-2025-7634
Oct 8, 2025
Researcher: wesley (wcraft)
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Authenticated (Subscriber+) Arbitrary File Deletion via File Renaming
9.8
CVE-2025-7526
Oct 8, 2025
Researcher: wesley (wcraft)
WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
7.5
CVE-2025-5282
Jun 12, 2025
Researcher: mikemyers
WP Travel Engine <= 6.5.1 - Authenticated (Contributor+) Local File Inclusion
8.8
CVE-2025-49308
Jun 5, 2025
Researcher: Muhammad Yudha - DJ
WP Travel Engine <= 6.3.5 - Unauthenticated Local File Inclusion
9.8
CVE-2025-30870
Mar 27, 2025
Researcher: LVT-tholv2k
WP Travel Engine <= 6.3.5 - Authenticated (Contributor+) Local File Inclusion
8.8
CVE-2025-30871
Mar 27, 2025
Researcher: LVT-tholv2k
WP Travel Engine <= 6.2.1 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update
4.3
CVE-2024-10606
Nov 22, 2024
Researcher: Noah Stead (TurtleBurg)
WP Travel Engine <= 5.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2024-37944
Jul 10, 2024
Researcher: Manab Jyoti Dowarah
WP Travel Engine <= 5.8.0 - Unauthenticated Price Manipulation
5.3
CVE-2024-32798
Apr 22, 2024
Researcher: Ananda Dhakal
WP Travel Engine <= 5.7.9 - Unauthenticated SQL Injection
10.0
CVE-2024-30502
Mar 28, 2024
Researcher: beluga
WP Travel Engine <= 5.7.9 - Authenticated (Administrator+) SQL Injection
9.1
CVE-2024-30504
Mar 28, 2024
Researcher: beluga
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get
6.1
CVE-2023-33999
Jul 18, 2023
Researcher: Rafie Muhammad
Freemius SDK <= 2.4.2 - Missing Authorization Checks
6.3
CVE-2022-4974
Mar 4, 2022
Researchers:
WP Travel Engine <= 5.3.0 - Editor+ Stored Cross-Site Scripting
5.5
CVE-2021-24680
Dec 1, 2021
Researcher: Huy Nguyen
Title Status CVE ID CVSS Researchers Date
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.10 - Missing Authorization Patched CVE-2026-49078 5.3 dodoh4t June 5, 2026
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.12 - Unauthenticated PHP Object Injection Patched CVE-2026-49770 8.1 daroo June 4, 2026
WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode Patched CVE-2026-2437 6.4 Muhammad Yudha - DJ April 3, 2026
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Unauthenticated Local File Inclusion Patched CVE-2025-7634 9.8 wesley (wcraft) October 8, 2025
WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Authenticated (Subscriber+) Arbitrary File Deletion via File Renaming Patched CVE-2025-7526 9.8 wesley (wcraft) October 8, 2025
WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion Patched CVE-2025-5282 7.5 mikemyers June 12, 2025
WP Travel Engine <= 6.5.1 - Authenticated (Contributor+) Local File Inclusion Patched CVE-2025-49308 8.8 Muhammad Yudha - DJ June 5, 2025
WP Travel Engine <= 6.3.5 - Unauthenticated Local File Inclusion Patched CVE-2025-30870 9.8 LVT-tholv2k March 27, 2025
WP Travel Engine <= 6.3.5 - Authenticated (Contributor+) Local File Inclusion Patched CVE-2025-30871 8.8 LVT-tholv2k March 27, 2025
WP Travel Engine <= 6.2.1 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update Patched CVE-2024-10606 4.3 Noah Stead (TurtleBurg) November 22, 2024
WP Travel Engine <= 5.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Patched CVE-2024-37944 6.4 Manab Jyoti Dowarah July 10, 2024
WP Travel Engine <= 5.8.0 - Unauthenticated Price Manipulation Patched CVE-2024-32798 5.3 Ananda Dhakal April 22, 2024
WP Travel Engine <= 5.7.9 - Unauthenticated SQL Injection Patched CVE-2024-30502 10.0 beluga March 28, 2024
WP Travel Engine <= 5.7.9 - Authenticated (Administrator+) SQL Injection Patched CVE-2024-30504 9.1 beluga March 28, 2024
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get Patched CVE-2023-33999 6.1 Rafie Muhammad July 18, 2023
Freemius SDK <= 2.4.2 - Missing Authorization Checks Patched CVE-2022-4974 6.3 March 4, 2022
WP Travel Engine <= 5.3.0 - Editor+ Stored Cross-Site Scripting Patched CVE-2021-24680 5.5 Huy Nguyen December 1, 2021

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation