CVE-2026-49078

WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.10 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
6.7.11
Patched in
6d
Time to patch

Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.7.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=6.7.10
PublishedJune 5, 2026
Last updatedJune 10, 2026
Affected pluginwp-travel-engine

What Changed in the Fix

Changes introduced in v6.7.11

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-49078 ## 1. Vulnerability Summary The **WP Travel Engine** plugin (up to and including version 6.7.10) is vulnerable to **Missing Authorization**. The vulnerability exists in the `Wp_Travel_Engine_Admin` class, specifically in the `handle_migrate_request` met…

Show full research plan

Exploitation Research Plan - CVE-2026-49078

1. Vulnerability Summary

The WP Travel Engine plugin (up to and including version 6.7.10) is vulnerable to Missing Authorization. The vulnerability exists in the Wp_Travel_Engine_Admin class, specifically in the handle_migrate_request method which is hooked to admin_init.

Because admin_init executes for any request to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, and the handle_migrate_request function fails to verify administrative capabilities (like manage_options) or check for a valid WordPress nonce, an unauthenticated attacker can trigger sensitive migration logic on arbitrary "Trip" posts.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-post.php (or /wp-admin/admin-ajax.php)
  • Hook: admin_init
  • Vulnerable Function: Wp_Travel_Engine_Admin::handle_migrate_request
  • Action Parameter: wte-migrate (derived from the bulk_actions-edit-trip registration)
  • Payload Parameter: post[] (array of Trip IDs to be "migrated")
  • Authentication: Unauthenticated (No user login required).
  • Preconditions: At least one "Trip" post must
Research Findings
Static analysis — not yet PoC-verified

Summary

The WP Travel Engine plugin (up to and including version 6.7.10) contains a missing authorization vulnerability in its trip migration functionality. Unauthenticated attackers can trigger sensitive migration logic on arbitrary 'Trip' posts because the plugin fails to verify user capabilities or nonces when processing migration requests hooked to 'admin_init'.

Vulnerable Code

// admin/class-wp-travel-engine-admin.php:84
add_action(
    'admin_init',
    array( $this, 'handle_migrate_request' )
);

---

// admin/class-wp-travel-engine-admin.php (Function body inferred from research plan and registration)
public function handle_migrate_request() {
    if ( isset( $_GET['action'] ) && 'wte-migrate' === $_GET['action'] ) {
        // The function lacks any check for current_user_can( 'manage_options' )
        // and lacks check_admin_referer() for nonce verification.
        $post_ids = isset( $_GET['post'] ) ? (array) $_GET['post'] : array();
        if ( ! empty( $post_ids ) ) {
            // sensitive migration logic proceeds for each Trip post ID...
        }
    }
}

Security Fix

--- admin/class-wp-travel-engine-admin.php
+++ admin/class-wp-travel-engine-admin.php
@@ -...
 	public function handle_migrate_request() {
 		if ( isset( $_GET['action'] ) && 'wte-migrate' === $_GET['action'] ) {
+			if ( ! current_user_can( 'manage_options' ) ) {
+				return;
+			}
+
+			check_admin_referer( 'bulk-trips' );

Exploit Outline

To exploit this vulnerability, an unauthenticated attacker can send a forged request to the WordPress administrative backend. Since the 'admin_init' hook executes during requests to '/wp-admin/admin-post.php', the attacker can supply the 'action' parameter set to 'wte-migrate'. By also providing an array of Trip IDs in the 'post' parameter (e.g., post[]=123&post[]=124), the 'handle_migrate_request' function will execute migration logic on those specific posts. Because the function lacks capability checks and nonce validation, the server processes the request as if it were a legitimate bulk action performed by an administrator.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.