WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.10 - Missing Authorization
Description
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.7.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=6.7.10What Changed in the Fix
Changes introduced in v6.7.11
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-49078 ## 1. Vulnerability Summary The **WP Travel Engine** plugin (up to and including version 6.7.10) is vulnerable to **Missing Authorization**. The vulnerability exists in the `Wp_Travel_Engine_Admin` class, specifically in the `handle_migrate_request` met…
Show full research plan
Exploitation Research Plan - CVE-2026-49078
1. Vulnerability Summary
The WP Travel Engine plugin (up to and including version 6.7.10) is vulnerable to Missing Authorization. The vulnerability exists in the Wp_Travel_Engine_Admin class, specifically in the handle_migrate_request method which is hooked to admin_init.
Because admin_init executes for any request to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, and the handle_migrate_request function fails to verify administrative capabilities (like manage_options) or check for a valid WordPress nonce, an unauthenticated attacker can trigger sensitive migration logic on arbitrary "Trip" posts.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-post.php(or/wp-admin/admin-ajax.php) - Hook:
admin_init - Vulnerable Function:
Wp_Travel_Engine_Admin::handle_migrate_request - Action Parameter:
wte-migrate(derived from thebulk_actions-edit-tripregistration) - Payload Parameter:
post[](array of Trip IDs to be "migrated") - Authentication: Unauthenticated (No user login required).
- Preconditions: At least one "Trip" post must
Summary
The WP Travel Engine plugin (up to and including version 6.7.10) contains a missing authorization vulnerability in its trip migration functionality. Unauthenticated attackers can trigger sensitive migration logic on arbitrary 'Trip' posts because the plugin fails to verify user capabilities or nonces when processing migration requests hooked to 'admin_init'.
Vulnerable Code
// admin/class-wp-travel-engine-admin.php:84 add_action( 'admin_init', array( $this, 'handle_migrate_request' ) ); --- // admin/class-wp-travel-engine-admin.php (Function body inferred from research plan and registration) public function handle_migrate_request() { if ( isset( $_GET['action'] ) && 'wte-migrate' === $_GET['action'] ) { // The function lacks any check for current_user_can( 'manage_options' ) // and lacks check_admin_referer() for nonce verification. $post_ids = isset( $_GET['post'] ) ? (array) $_GET['post'] : array(); if ( ! empty( $post_ids ) ) { // sensitive migration logic proceeds for each Trip post ID... } } }
Security Fix
@@ -... public function handle_migrate_request() { if ( isset( $_GET['action'] ) && 'wte-migrate' === $_GET['action'] ) { + if ( ! current_user_can( 'manage_options' ) ) { + return; + } + + check_admin_referer( 'bulk-trips' );
Exploit Outline
To exploit this vulnerability, an unauthenticated attacker can send a forged request to the WordPress administrative backend. Since the 'admin_init' hook executes during requests to '/wp-admin/admin-post.php', the attacker can supply the 'action' parameter set to 'wte-migrate'. By also providing an array of Trip IDs in the 'post' parameter (e.g., post[]=123&post[]=124), the 'handle_migrate_request' function will execute migration logic on those specific posts. Because the function lacks capability checks and nonce validation, the server processes the request as if it were a legitimate bulk action performed by an administrator.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.