Thursday, July 2, 2026

Guest Blogging 101: How...

Guest blogging is a powerful way to build your online presence, drive traffic...

The Power of Keyword...

Keyword research is a powerful tool that can help drive targeted traffic to...

How Google, ChatGPT, and...

How AI Search Tools Handle Your Money or Your Life (YMYL) Queries Study Finds A...

Reimagining EEAT For Sales...

Introduction to EEAT The SEO Charity podcast recently discussed a different way to think...
HomeWordpressMultiple WordPress Vulnerabilities...

Multiple WordPress Vulnerabilities Affect 20,000+ Travel Sites

Introduction to WP Travel Engine Vulnerabilities

The WP Travel Engine is a popular WordPress plugin used by travel agencies to enable users to plan itineraries, select from different packages, and book any kind of vacation. Recently, two critical vulnerabilities were identified in this plugin, which is installed on more than 20,000 websites. Both vulnerabilities enable unauthenticated attackers to obtain virtually complete control of a website and are rated 9.8 on the CVSS scale, very close to the highest possible score for critical flaws.

What is WP Travel Engine?

The WP Travel Engine is a travel booking plugin for WordPress that allows users to book vacations and travel packages. It is a popular choice among travel agencies due to its ease of use and flexibility. However, the recent discovery of vulnerabilities in the plugin has raised concerns about its security.

Improper Path Restriction (Path Traversal)

The first vulnerability comes from improper file path restriction in the plugin’s set_user_profile_image function. Because the plugin fails to validate file paths, unauthenticated attackers can rename or delete files anywhere on the server. Deleting a file such as wp-config.php disables the site’s configuration and can allow remote code execution. This flaw can enable an attacker to stage a remote code execution attack from the site.

- Advertisement -

Local File Inclusion via Mode Parameter

The second vulnerability comes from improper control of the mode parameter, which lets unauthenticated users include and run arbitrary .php files. This enables an attacker to run malicious code and access sensitive data. Like the first flaw, it has a CVSS score of 9.8 and is rated as critical because it allows unauthenticated code execution that can expose or damage site data.

Recommendation

Both vulnerabilities affect versions up to and including 6.6.7. Site owners using WP Travel Engine should update the plugin to the latest version as soon as possible. Both vulnerabilities can be exploited without authentication, so prompt updating is recommended to prevent unauthorized access.

Conclusion

In conclusion, the WP Travel Engine plugin has two critical vulnerabilities that can be exploited by unauthenticated attackers to gain control of a website. It is essential for site owners to update the plugin to the latest version to prevent these vulnerabilities from being exploited. By doing so, they can protect their website and sensitive data from potential attacks. The security of a website is crucial, and staying up-to-date with the latest security patches is essential to prevent cyber attacks.

- Advertisement -

Latest Articles

- Advertisement -

Continue reading

Bing Team Describes How Grounding Differs From Search Indexing

Introduction to Microsoft's New Framework Microsoft's Bing team has published a framework that describes how indexing requirements change when the goal is to support AI answers rather than to rank search results. This framework identifies five measurement areas where the...

GoDaddy Transferred A Domain By Mistake And Refused To Fix It

Introduction to the Problem GoDaddy, a well-known domain registrar, allegedly transferred a domain name without the authorization of its longtime registrant. This unauthorized transfer occurred without the necessary documentation, leaving the victim in a difficult situation. After spending nearly ten...

Google Tests AI Headlines, Rolls Out Spam Update – SEO Pulse

Introduction to Google's Latest Updates Google has been making significant changes to how content appears in its search results. This week's updates affect how headlines appear in search, how spam enforcement is handled, and how AI-generated content is labeled. These...

Google Answers Questions About Search Console’s Branded Queries Filter

Introduction to Google Search Console's Branded Queries Filter Google Search Central recently announced that the branded queries filter in Search Console is now available to all eligible sites. This update has led to many questions from SEOs, which Google's John...