Does Travelpayouts have any unpatched vulnerabilities?

Yes — Travelpayouts currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

How often is Travelpayouts updated?

Travelpayouts was last updated on Feb 26, 2026. Frequent updates are generally a positive security signal.

What is Travelpayouts's security score?

Travelpayouts has a WP-Safety security score of 67/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Travelpayouts Security & Risk Analysis

wordpress.org/plugins/travelpayouts

Earn money and make your visitors happy! Offer them useful tools for their travel needs. Earn on commission for each booking.

7K active installs v1.2.2 PHP + WP + Updated Feb 26, 2026

C · Use Caution

CVEs total5

Unpatched1

Last CVEJan 29, 2026

Plugin page Download

Safety Verdict

Is Travelpayouts Safe to Use in 2026?

Use With Caution

Score 67/100

Travelpayouts has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

5 known CVEs 1 unpatched Last CVE: Jan 29, 2026Updated 1mo ago

Risk Assessment

The TravelPayouts plugin version 1.2.2 exhibits a concerning security posture, primarily due to significant risks identified in its attack surface and a history of multiple, serious vulnerabilities. The presence of two unprotected AJAX handlers represents a direct avenue for attackers to potentially exploit the plugin without proper authorization, which is a critical oversight. While the plugin utilizes prepared statements for a majority of its SQL queries and has a decent percentage of properly escaped output, the existence of the `unserialize` dangerous function, especially if used with user-controlled input, poses a severe risk of remote code execution. Taint analysis, though limited in scope, did not reveal critical or high severity unsanitized flows, which is a small positive, but this could be a result of limited analysis coverage rather than true security.

Key Concerns

Unprotected AJAX handlers
Dangerous function: unserialize
Unpatched high severity CVE
Vulnerability history: 5 CVEs
Vulnerability history: High severity
Vulnerability history: Medium severity
Bundled library: Select2

Vulnerabilities

Travelpayouts Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

3 CVEs in 2024

2024

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-68042medium · 4.3Missing Authorization

Travelpayouts <= 1.2.1 - Missing Authorization

Jan 29, 2026Unpatched

CVE-2024-0337medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

Travelpayouts: All Travel Brands in One Place <= 1.1.16 - Open Redirect

Feb 28, 2024 Patched in 1.1.17 (92d)

CVE-2023-5934medium · 4.3Cross-Site Request Forgery (CSRF)

Travelpayouts <= 1.1.12 - Cross-Site Request Forgery to Settings Import

Jan 26, 2024 Patched in 1.1.13 (488d)

CVE-2023-5932medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Travelpayouts <= 1.1.13 - Reflected Cross-Site Scripting

Jan 23, 2024 Patched in 1.1.14 (485d)

WF-7e199cd3-e2ce-4969-a517-4a9c2a84bf44-travelpayoutshigh · 8.8Cross-Site Request Forgery (CSRF)

Travelpayouts <= 1.0.16 - Cross-Site Request Forgery

Sep 13, 2021 Patched in 1.0.17 (862d)

Code Analysis

Analyzed Mar 16, 2026

Travelpayouts Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

276

572 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$value = unserialize($value,[src\components\base\cache\Cache.php:101

unserialize$value = unserialize($values[$newKey]);src\components\base\cache\Cache.php:171

Bundled Libraries

Select2

SQL Query Safety

71% prepared7 total queries

Output Escaping

67% escaped848 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

save (redux-core\inc\classes\class-travelpayouts-ajax-save.php:34)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Travelpayouts Attack Surface

Entry Points3

Unprotected2

AJAX Handlers 3

authwp_ajax_Redux_Travelpayouts_support_hashredux-core\class-travelpayouts-core.php:250

authwp_ajax_Redux_Travelpayouts_hide_admin_noticeredux-core\inc\classes\class-travelpayouts-admin-notices.php:41

authwp_ajax_Redux_Travelpayouts_update_google_fontsredux-core\inc\classes\class-travelpayouts-ajax-typography.php:26

WordPress Hooks 30

actionadmin_noticesredux-core\inc\classes\class-travelpayouts-admin-notices.php:42

actionadmin_initredux-core\inc\classes\class-travelpayouts-admin-notices.php:43

actioninitredux-core\inc\classes\class-travelpayouts-api.php:120

actionplugins_loadedredux-core\inc\classes\class-travelpayouts-api.php:164

actionTravelpayoutsSettingsFrameworkPlugin_admin_noticeredux-core\inc\classes\class-travelpayouts-api.php:1705

actionRedux_Travelpayouts_framework_plugin_admin_noticeredux-core\inc\classes\class-travelpayouts-api.php:1706

actionadmin_enqueue_scriptsredux-core\inc\classes\class-travelpayouts-enqueue.php:57

actionwp_enqueue_scriptsredux-core\inc\classes\class-travelpayouts-enqueue.php:60

filterredux_travelpayouts/fieldsredux-core\inc\classes\class-travelpayouts-extension-abstract.php:189

actionwp_headredux-core\inc\classes\class-travelpayouts-functions-ex.php:158

actionredux_travelpayouts/constructredux-core\inc\classes\class-travelpayouts-instances.php:74

actionadmin_initredux-core\inc\classes\class-travelpayouts-options-constructor.php:55

actionwp_headredux-core\inc\classes\class-travelpayouts-output.php:30

actionwp_enqueue_scriptsredux-core\inc\classes\class-travelpayouts-output.php:31

actionlogin_headredux-core\inc\classes\class-travelpayouts-output.php:36

actionlogin_enqueue_scriptsredux-core\inc\classes\class-travelpayouts-output.php:37

actionadmin_headredux-core\inc\classes\class-travelpayouts-output.php:42

actionadmin_enqueue_scriptsredux-core\inc\classes\class-travelpayouts-output.php:43

filterstyle_loader_tagredux-core\inc\classes\class-travelpayouts-output.php:219

filterwp_resource_hintsredux-core\inc\classes\class-travelpayouts-output.php:220

actionadmin_menuredux-core\inc\classes\class-travelpayouts-page-render.php:47

actionnetwork_admin_menuredux-core\inc\classes\class-travelpayouts-page-render.php:51

actionadmin_headredux-core\inc\classes\class-travelpayouts-page-render.php:141

filteradmin_footer_textredux-core\inc\classes\class-travelpayouts-page-render.php:144

filterdeprecated_file_trigger_errorredux-core\inc\classes\class-travelpayouts-panel.php:314

actionrest_api_initredux-core\inc\classes\class-travelpayouts-rest-api-builder.php:46

filterupload_mimesredux-core\inc\extensions\import_export\class-travelpayouts-extension-import-export.php:92

filterredux_travelpayouts/font-iconsredux-core\inc\fields\select\elusive-icons.php:11

actionadmin_footersrc\admin\components\DeactivationFeedback.php:31

actionrest_api_initsrc\components\web\WpRestRouteGroup.php:16

Maintenance & Trust

Travelpayouts Maintenance & Trust

Maintenance Signals

WordPress version tested

Last updatedFeb 26, 2026

PHP min version

Downloads316K

Community Trust

Rating88/100

Number of ratings17

Active installs7K

Alternatives

Travelpayouts Alternatives

No alternatives data available yet.

Developer Profile

Travelpayouts Developer Profile

Travelpayouts

2 plugins · 7K total installs

trust score

Avg Security Score

76/100

Avg Patch Time

482 days

View full developer profile

Detection Fingerprints

How We Detect Travelpayouts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/travelpayouts/travelpayouts-core.js/wp-content/plugins/travelpayouts/travelpayouts.css/wp-content/plugins/travelpayouts/travelpayouts-core.css/wp-content/plugins/travelpayouts/js/travelpayouts-frontend.js/wp-content/plugins/travelpayouts/css/travelpayouts.css/wp-content/plugins/travelpayouts/css/travelpayouts-frontend.css

Script Paths

/wp-content/plugins/travelpayouts/travelpayouts-core.js/wp-content/plugins/travelpayouts/js/travelpayouts-frontend.js

Version Parameters

travelpayouts-core.js?ver=travelpayouts.css?ver=travelpayouts-core.css?ver=travelpayouts-frontend.js?ver=travelpayouts.css?ver=travelpayouts-frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes

travelpayouts-search-formtp_widget_search_formtp_widget_search_form_wrappertp_widget_search_form_fieldtp_widget_search_form_submit

HTML Comments

Data Attributes

data-tp-widget-iddata-tp-widget-typedata-tp-widget-config

JS Globals

TravelpayoutsFrontend

Shortcode Output

[travelpayouts_widget][tp_widget type="search_form"]

FAQ

Travelpayouts Security & Risk Analysis

Is Travelpayouts Safe to Use in 2026?

Use With Caution

Key Concerns

Travelpayouts Security Vulnerabilities

CVEs by Year

Severity Breakdown

Travelpayouts Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Travelpayouts Attack Surface

AJAX Handlers 3

Travelpayouts Maintenance & Trust

Maintenance Signals

Community Trust

Travelpayouts Alternatives

Travelpayouts Developer Profile

How We Detect Travelpayouts

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Travelpayouts