WP-Safety

Tour Operator Security & Risk Analysis

wordpress.org/plugins/tour-operator

Tour Operator is a block-based plugin for WordPress that helps travel agencies and tour operators showcase tours, destinations, and accommodations usi …

50 active installs v2.1.1 PHP 8.0+ WP 6.7+ Updated Jan 7, 2026
destinationsitinerarytour-operatortourstravel
99
A · Safe
CVEs total1
Unpatched0
Last CVENov 20, 2024
Plugin page Download
Safety Verdict

Is Tour Operator Safe to Use in 2026?

Generally Safe

Score 99/100

Tour Operator has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 20, 2024Updated 2mo ago
Risk Assessment

The "tour-operator" plugin v2.1.1 exhibits a generally good security posture with several strong practices in place. The absence of unprotected entry points, 100% prepared SQL statements, and a comprehensive number of nonce and capability checks indicate a conscious effort towards secure coding. Furthermore, the taint analysis revealing no critical or high severity unsanitized flows is a very positive sign, suggesting that input handling is largely robust.

However, a few areas warrant attention. The presence of the `unserialize` function, while not currently exploited in taint analysis, is a known risk factor that can lead to Remote Code Execution if not handled with extreme care and proper validation of serialized data. The plugin also bundles an outdated version of Select2 (v3.0.3), which may contain unpatched vulnerabilities and should be updated. While there are no currently unpatched CVEs, the history of one medium-severity Cross-Site Scripting vulnerability suggests that input sanitization and output escaping, despite appearing generally good, might have had past weaknesses that could be re-introduced or exist in less obvious areas.

In conclusion, "tour-operator" v2.1.1 is a reasonably secure plugin due to its strong foundation in authentication and SQL handling. The primary concerns revolve around the potential risks of `unserialize` and the outdated bundled library. Addressing these, along with ongoing vigilance for any potential XSS vulnerabilities, would further solidify its security.

Key Concerns

  • Dangerous function `unserialize` present
  • Bundled library Select2 v3.0.3 is outdated
Vulnerabilities
1

Tour Operator Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-9851medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LSX Tour Operator <= 1.4.9 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Nov 20, 2024 Patched in 2.0.0 (51d)
Code Analysis
Analyzed Mar 16, 2026

Tour Operator Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
7 prepared
Unescaped Output
55
279 escaped
Nonce Checks
6
Capability Checks
8
File Operations
3
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$datetime = @unserialize( trim( $date_value ), array( 'allowed_classes' => array( 'DateTime' ) ) );plugins\cmb2\includes\CMB2_Utils.php:571

Bundled Libraries

Select23.0.3

SQL Query Safety

100% prepared7 total queries

Output Escaping

84% escaped334 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
save_custom_permalink_fields (includes\classes\admin\class-permalinks.php:129)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Tour Operator Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 2

authwp_ajax_cmb2_oembed_handlerplugins\cmb2\includes\CMB2_Ajax.php:51
noprivwp_ajax_cmb2_oembed_handlerplugins\cmb2\includes\CMB2_Ajax.php:52

REST API Routes 1

GET/wp-json/tour-operator/v1/modal-optionsincludes\classes\frontend\class-modals.php:371
WordPress Hooks 163
filtertype_url_form_mediaincludes\classes\admin\class-admin.php:27
filtercontent_model_post_type_argsincludes\classes\admin\class-admin.php:29
actionadmin_initincludes\classes\admin\class-permalinks.php:39
actionadmin_initincludes\classes\admin\class-permalinks.php:40
filterlsx_to_register_taxonomy_argsincludes\classes\admin\class-permalinks.php:41
actionsave_post_tourincludes\classes\admin\class-post-expiration.php:22
actionlsx_to_expire_tourincludes\classes\admin\class-post-expiration.php:23
actionadmin_menuincludes\classes\admin\class-settings.php:51
actionadmin_initincludes\classes\admin\class-settings.php:52
actionlsx_to_framework_dashboard_tab_contentincludes\classes\admin\class-settings.php:147
actionlsx_to_framework_dashboard_tab_contentincludes\classes\admin\class-settings.php:148
actionlsx_to_framework_dashboard_tab_contentincludes\classes\admin\class-settings.php:149
actionlsx_to_framework_dashboard_tab_contentincludes\classes\admin\class-settings.php:150
actionlsx_to_framework_dashboard_tab_contentincludes\classes\admin\class-settings.php:151
actionlsx_to_framework_dashboard_tab_contentincludes\classes\admin\class-settings.php:152
actionlsx_to_framework_post_type_tab_contentincludes\classes\admin\class-settings.php:155
actioninitincludes\classes\admin\class-setup.php:85
actioninitincludes\classes\admin\class-setup.php:86
actioninitincludes\classes\admin\class-setup.php:87
filterimage_size_names_chooseincludes\classes\admin\class-setup.php:88
actioncmb2_admin_initincludes\classes\admin\class-setup.php:89
filterwp_kses_allowed_htmlincludes\classes\admin\class-setup.php:92
filterkses_allowed_protocolsincludes\classes\admin\class-setup.php:102
filtersafe_style_cssincludes\classes\admin\class-setup.php:110
filteracf/settings/remove_wp_meta_boxincludes\classes\admin\class-setup.php:130
actioninitincludes\classes\blocks\class-bindings.php:69
filterrender_blockincludes\classes\blocks\class-bindings.php:70
filterrender_blockincludes\classes\blocks\class-bindings.php:71
filterrender_blockincludes\classes\blocks\class-bindings.php:72
filterrender_blockincludes\classes\blocks\class-bindings.php:73
filterrender_blockincludes\classes\blocks\class-bindings.php:74
filterrender_blockincludes\classes\blocks\class-bindings.php:75
filterrender_block_core/coverincludes\classes\blocks\class-bindings.php:76
filterrender_blockincludes\classes\blocks\class-bindings.php:77
filterblock_categories_allincludes\classes\blocks\class-patterns.php:52
actioninitincludes\classes\blocks\class-patterns.php:53
actioninitincludes\classes\blocks\class-patterns.php:56
filterrender_block_dataincludes\classes\blocks\class-query-loop.php:51
filterrender_blockincludes\classes\blocks\class-query-loop.php:53
filterposts_pre_queryincludes\classes\blocks\class-query-loop.php:54
filterquery_loop_block_query_varsincludes\classes\blocks\class-query-loop.php:55
actionenqueue_block_editor_assetsincludes\classes\blocks\class-registration.php:20
actioninitincludes\classes\blocks\class-registration.php:21
actioninitincludes\classes\blocks\class-template-parts.php:26
actioninitincludes\classes\blocks\class-template-parts.php:27
filterdefault_wp_template_part_areasincludes\classes\blocks\class-template-parts.php:40
actioninitincludes\classes\blocks\class-templates.php:28
actionadmin_enqueue_scriptsincludes\classes\class-frame.php:203
filterfacetwp_indexer_row_dataincludes\classes\class-post-connections.php:40
filterfacetwp_index_rowincludes\classes\class-post-connections.php:41
filterfacetwp_facet_htmlincludes\classes\class-post-connections.php:42
filterfacetwp_facet_dropdown_show_countsincludes\classes\class-post-connections.php:43
actioninitincludes\classes\class-tour-operator.php:75
actionwp_loadedincludes\classes\frontend\class-modals.php:51
actionwp_enqueue_scriptsincludes\classes\frontend\class-modals.php:52
actionrest_api_initincludes\classes\frontend\class-modals.php:53
actionenqueue_block_editor_assetsincludes\classes\frontend\class-modals.php:54
filterlsx_to_settings_fieldsincludes\classes\frontend\class-modals.php:88
filterlsx_to_connected_list_itemincludes\classes\frontend\class-modals.php:89
filterlsx_to_custom_field_queryincludes\classes\frontend\class-modals.php:90
filterrender_block_lsx-tour-operator/modal-buttonincludes\classes\frontend\class-modals.php:91
actionwp_footerincludes\classes\frontend\class-modals.php:93
actionwp_footerincludes\classes\frontend\class-modals.php:94
filterrender_block_core/post-featured-imageincludes\classes\frontend\class-taxonomy-images.php:42
filterlsx_to_custom_field_queryincludes\classes\legacy\class-accommodation.php:76
filterlsx_to_custom_field_queryincludes\classes\legacy\class-accommodation.php:78
actioninitincludes\classes\legacy\class-admin.php:66
actionadmin_enqueue_scriptsincludes\classes\legacy\class-admin.php:67
actioncmb2_pre_save_fieldincludes\classes\legacy\class-admin.php:78
actioncreate_termincludes\classes\legacy\class-admin.php:86
actionedit_termincludes\classes\legacy\class-admin.php:87
actionlsx_to_map_metaincludes\classes\legacy\class-destination.php:61
actionlsx_to_modal_metaincludes\classes\legacy\class-destination.php:62
filterlsx_to_parents_onlyincludes\classes\legacy\class-destination.php:63
filterfacetwp_query_argsincludes\classes\legacy\class-destination.php:65
actionpre_get_postsincludes\classes\legacy\class-destination.php:66
actionwp_enqueue_scriptsincludes\classes\legacy\class-frontend.php:43
filterbody_classincludes\classes\legacy\class-frontend.php:44
filterpre_get_postsincludes\classes\legacy\class-frontend.php:47
filterwpseo_breadcrumb_linksincludes\classes\legacy\class-frontend.php:55
filterlsx_to_itinerary_thumbnail_srcincludes\classes\legacy\class-itinerary-query.php:111
filterlsx_to_maps_tour_connectionsincludes\classes\legacy\class-maps.php:70
filterget_post_metadataincludes\classes\legacy\class-placeholders.php:60
filterget_term_metadataincludes\classes\legacy\class-placeholders.php:69
filterpost_thumbnail_idincludes\classes\legacy\class-placeholders.php:80
filterwp_get_attachment_image_srcincludes\classes\legacy\class-placeholders.php:82
filterwp_calculate_image_srcset_metaincludes\classes\legacy\class-placeholders.php:91
filterwp_calculate_image_srcsetincludes\classes\legacy\class-placeholders.php:100
filterwpseo_schema_graph_piecesincludes\classes\legacy\class-schema.php:42
actioninitincludes\classes\legacy\class-tour-operator.php:166
actionplugins_loadedincludes\classes\legacy\class-tour-operator.php:167
actionactivated_pluginincludes\classes\legacy\class-tour-operator.php:174
actioninitincludes\classes\legacy\class-tour-operator.php:177
actionadmin_initincludes\classes\legacy\class-tour-operator.php:187
actioninitincludes\classes\legacy\class-tour.php:66
filterlsx_to_itinerary_classincludes\classes\legacy\class-tour.php:70
filterlsx_to_itinerary_needs_read_moreincludes\classes\legacy\class-tour.php:71
filterlsx_to_custom_field_queryincludes\classes\legacy\class-tour.php:75
filterlsx_to_custom_field_queryincludes\classes\legacy\class-tour.php:77
filterbody_classincludes\classes\legacy\class-tour.php:79
filterlsx_to_destination_custom_fieldsincludes\classes\legacy\class-video.php:33
filterlsx_to_tour_custom_fieldsincludes\classes\legacy\class-video.php:34
filterlsx_to_accommodation_custom_fieldsincludes\classes\legacy\class-video.php:35
filterlsx_to_review_custom_fieldsincludes\classes\legacy\class-video.php:36
filterlsx_to_activity_custom_fieldsincludes\classes\legacy\class-video.php:37
filterlsx_to_special_custom_fieldsincludes\classes\legacy\class-video.php:38
filterlsx_to_vehicle_custom_fieldsincludes\classes\legacy\class-video.php:39
filtercmb2_render_pw_selectplugins\cmb-field-select2\cmb-field-select2.php:27
filtercmb2_render_pw_multiselectplugins\cmb-field-select2\cmb-field-select2.php:28
filtercmb2_sanitize_pw_multiselectplugins\cmb-field-select2\cmb-field-select2.php:29
filtercmb2_types_esc_pw_multiselectplugins\cmb-field-select2\cmb-field-select2.php:30
filtercmb2_repeat_table_row_typesplugins\cmb-field-select2\cmb-field-select2.php:31
actioncmb2_save_options-page_fieldsplugins\cmb2\includes\CMB2_Ajax.php:54
filterget_post_metadataplugins\cmb2\includes\CMB2_Ajax.php:147
filterupdate_post_metadataplugins\cmb2\includes\CMB2_Ajax.php:150
filtercmb2_show_onplugins\cmb2\includes\CMB2_Hookup.php:79
actionedit_form_topplugins\cmb2\includes\CMB2_Hookup.php:118
actionedit_form_before_permalinkplugins\cmb2\includes\CMB2_Hookup.php:122
actionedit_form_after_titleplugins\cmb2\includes\CMB2_Hookup.php:126
actionedit_form_after_editorplugins\cmb2\includes\CMB2_Hookup.php:130
actionadd_meta_boxesplugins\cmb2\includes\CMB2_Hookup.php:134
actionadd_meta_boxesplugins\cmb2\includes\CMB2_Hookup.php:137
actionadd_attachmentplugins\cmb2\includes\CMB2_Hookup.php:138
actionedit_attachmentplugins\cmb2\includes\CMB2_Hookup.php:139
actionsave_postplugins\cmb2\includes\CMB2_Hookup.php:140
actionpre_get_postsplugins\cmb2\includes\CMB2_Hookup.php:147
actionadd_meta_boxes_commentplugins\cmb2\includes\CMB2_Hookup.php:155
actionedit_commentplugins\cmb2\includes\CMB2_Hookup.php:156
filtermanage_edit-comments_columnsplugins\cmb2\includes\CMB2_Hookup.php:159
actionmanage_comments_custom_columnplugins\cmb2\includes\CMB2_Hookup.php:160
filtermanage_edit-comments_sortable_columnsplugins\cmb2\includes\CMB2_Hookup.php:161
actionpre_get_postsplugins\cmb2\includes\CMB2_Hookup.php:162
actionshow_user_profileplugins\cmb2\includes\CMB2_Hookup.php:171
actionedit_user_profileplugins\cmb2\includes\CMB2_Hookup.php:172
actionuser_new_formplugins\cmb2\includes\CMB2_Hookup.php:173
actionpersonal_options_updateplugins\cmb2\includes\CMB2_Hookup.php:175
actionedit_user_profile_updateplugins\cmb2\includes\CMB2_Hookup.php:176
actionuser_registerplugins\cmb2\includes\CMB2_Hookup.php:177
filtermanage_users_columnsplugins\cmb2\includes\CMB2_Hookup.php:180
filtermanage_users_custom_columnplugins\cmb2\includes\CMB2_Hookup.php:181
filtermanage_users_sortable_columnsplugins\cmb2\includes\CMB2_Hookup.php:182
actionpre_get_postsplugins\cmb2\includes\CMB2_Hookup.php:183
actionpre_get_postsplugins\cmb2\includes\CMB2_Hookup.php:229
actioncreated_termplugins\cmb2\includes\CMB2_Hookup.php:233
actionedited_termsplugins\cmb2\includes\CMB2_Hookup.php:234
actiondelete_termplugins\cmb2\includes\CMB2_Hookup.php:235
filterwp_prepare_attachment_for_jsplugins\cmb2\includes\CMB2_Hookup_Field.php:54
actionadmin_enqueue_scriptsplugins\cmb2\includes\CMB2_Hookup_Field.php:71
actioncmb2_do_oembedplugins\cmb2\includes\helper-functions.php:131
filteris_protected_metaplugins\cmb2\includes\rest-api\CMB2_REST.php:144
actioninitplugins\cmb2\init.php:77
filtercmb2_render_pw_mapplugins\cmb2-field-map\cmb-field-map.php:16
filtercmb2_sanitize_pw_mapplugins\cmb2-field-map\cmb-field-map.php:17
filterpw_google_api_keyplugins\cmb2-field-map\cmb-field-map.php:18
actioninitplugins\content-models\includes\json-initializer\0-load.php:12
actioninitplugins\content-models\includes\runtime\0-load.php:17
filterget_block_type_variationsplugins\content-models\includes\runtime\class-content-model-block.php:94
filterpre_render_blockplugins\content-models\includes\runtime\class-content-model-block.php:96
filterpre_render_blockplugins\content-models\includes\runtime\class-content-model-block.php:222
actionenqueue_block_editor_assetsplugins\content-models\includes\runtime\class-content-model.php:86
filterblock_categories_allplugins\content-models\includes\runtime\class-content-model.php:88
filterrest_request_before_callbacksplugins\content-models\includes\runtime\class-content-model.php:90
filterget_post_metadataplugins\content-models\includes\runtime\class-content-model.php:103
Maintenance & Trust

Tour Operator Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 7, 2026
PHP min version8.0
Downloads25K

Community Trust

Rating76/100
Number of ratings6
Active installs50
Alternatives

Tour Operator Alternatives

Tourwriter Itineraries

Tourwriter Itineraries

minim-by-tourwriter

A
92

Easily display your Tourwriter itineraries on your website

50 No CVEs
Tourfic Toolkit

Tourfic Toolkit

travelfic-toolkit

A
98

A companion plugin to the Travelfic and Ultimate Hotel Booking with which you can easily build your own Hotel, Accommodation, Tour & Travel Bookin &hellip;

1K 2 CVEs
WP Travel MapQuest

WP Travel MapQuest

wp-travel-mapquest

A
100

A simple map addon to WP Travel plugin which can be used in place of Google Map.

20 No CVEs
WP Travel Engine – Tour Booking Plugin – Tour Operator Software

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

B
76

WP Travel Engine is the most popular tour and travel booking WordPress plugin. Used by over 20,000 travel agency websites.

20K 12 CVEs
WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor

WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor

wte-elementor-widgets

A
97

WP Travel Engine – Elementor Widgets provides 20+ Elementor widgets to create travel and tour booking websites using WP Travel Engine and Elementor.

10K 2 CVEs
Developer Profile

Tour Operator Developer Profile

Ash Shaw

14 plugins · 700 total installs

81
trust score
Avg Security Score
90/100
Avg Patch Time
51 days
View full developer profile
Detection Fingerprints

How We Detect Tour Operator

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tour-operator/assets/css/frontend.css/wp-content/plugins/tour-operator/assets/css/backend.css/wp-content/plugins/tour-operator/assets/js/frontend.js/wp-content/plugins/tour-operator/assets/js/backend.js/wp-content/plugins/tour-operator/assets/css/single-tour.css/wp-content/plugins/tour-operator/assets/css/single-destination.css/wp-content/plugins/tour-operator/assets/css/single-accommodation.css/wp-content/plugins/tour-operator/assets/css/tour-operator-settings.css+10 more
Script Paths
/wp-content/plugins/tour-operator/assets/js/frontend.js/wp-content/plugins/tour-operator/assets/js/backend.js/wp-content/plugins/tour-operator/assets/js/single-tour.js/wp-content/plugins/tour-operator/assets/js/single-destination.js/wp-content/plugins/tour-operator/assets/js/single-accommodation.js/wp-content/plugins/tour-operator/assets/js/tour-operator-settings.js+3 more
Version Parameters
tour-operator/assets/css/frontend.css?ver=tour-operator/assets/css/backend.css?ver=tour-operator/assets/js/frontend.js?ver=tour-operator/assets/js/backend.js?ver=tour-operator/assets/css/single-tour.css?ver=tour-operator/assets/css/single-destination.css?ver=tour-operator/assets/css/single-accommodation.css?ver=tour-operator/assets/css/tour-operator-settings.css?ver=tour-operator/assets/css/tour-operator-dashboard.css?ver=tour-operator/assets/css/tour-operator-frontend-blocks.css?ver=tour-operator/assets/css/tour-operator-backend-blocks.css?ver=tour-operator/assets/js/single-tour.js?ver=tour-operator/assets/js/single-destination.js?ver=tour-operator/assets/js/single-accommodation.js?ver=tour-operator/assets/js/tour-operator-settings.js?ver=tour-operator/assets/js/tour-operator-dashboard.js?ver=tour-operator/assets/js/tour-operator-frontend-blocks.js?ver=tour-operator/assets/js/tour-operator-backend-blocks.js?ver=

HTML / DOM Fingerprints

CSS Classes
tour-operator-frontendtour-operator-backendsingle-toursingle-destinationsingle-accommodationtour-operator-settings-pagetour-operator-dashboard-pagetour-operator-frontend-block+1 more
HTML Comments
<!-- Tour Operator Frontend Scripts --><!-- Tour Operator Backend Scripts --><!-- Tour Operator Single Tour Scripts --><!-- Tour Operator Single Destination Scripts -->+5 more
Data Attributes
data-tour-operator-iddata-tour-operator-slug
JS Globals
tourOperatorFrontendtourOperatorBackendtourOperatorSingleTourtourOperatorSingleDestinationtourOperatorSingleAccommodationtourOperatorSettings+3 more
REST Endpoints
/wp-json/tour-operator/v1/tours/wp-json/tour-operator/v1/destinations/wp-json/tour-operator/v1/accommodations
Shortcode Output
[tour_operator_tours][tour_operator_destinations][tour_operator_accommodations][tour_operator_map]
FAQ

Frequently Asked Questions about Tour Operator