[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fN9Z-SCAq16FC2KHIDSZ_M9BmufVFBLkq72h-s0iJuwQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-49078","wp-travel-engine-tour-booking-plugin-tour-operator-software-missing-authorization","WP Travel Engine – Tour Booking Plugin – Tour Operator Software \u003C= 6.7.10 - Missing Authorization","The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.7.10. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wp-travel-engine",null,"\u003C=6.7.10","6.7.11","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-06-05 00:00:00","2026-06-10 17:31:39",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F382837d9-ebc5-4200-bd7c-13e982ac921b?source=api-prod",6,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fclass-wp-travel-engine-admin.php","admin\u002Fmeta-parts\u002Ftrip-metas.php","changelog.txt","dist\u002Fadmin.plugins-php-rtl.css","dist\u002Fadmin.wte-admin-rtl.css","dist\u002Fadmin\u002Fbooking-edit.asset.php","dist\u002Fadmin\u002Fbooking-edit.js","researched",false,3,"# Exploitation Research Plan - CVE-2026-49078\n\n## 1. Vulnerability Summary\nThe **WP Travel Engine** plugin (up to and including version 6.7.10) is vulnerable to **Missing Authorization**. The vulnerability exists in the `Wp_Travel_Engine_Admin` class, specifically in the `handle_migrate_request` method which is hooked to `admin_init`. \n\nBecause `admin_init` executes for any request to `\u002Fwp-admin\u002Fadmin-post.php` or `\u002Fwp-admin\u002Fadmin-ajax.php`, and the `handle_migrate_request` function fails to verify administrative capabilities (like `manage_options`) or check for a valid WordPress nonce, an unauthenticated attacker can trigger sensitive migration logic on arbitrary \"Trip\" posts.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-post.php` (or `\u002Fwp-admin\u002Fadmin-ajax.php`)\n*   **Hook:** `admin_init`\n*   **Vulnerable Function:** `Wp_Travel_Engine_Admin::handle_migrate_request`\n*   **Action Parameter:** `wte-migrate` (derived from the `bulk_actions-edit-trip` registration)\n*   **Payload Parameter:** `post[]` (array of Trip IDs to be \"migrated\")\n*   **Authentication:** Unauthenticated (No user login required).\n*   **Preconditions:** At least one \"Trip\" post must","The WP Travel Engine plugin (up to and including version 6.7.10) contains a missing authorization vulnerability in its trip migration functionality. Unauthenticated attackers can trigger sensitive migration logic on arbitrary 'Trip' posts because the plugin fails to verify user capabilities or nonces when processing migration requests hooked to 'admin_init'.","\u002F\u002F admin\u002Fclass-wp-travel-engine-admin.php:84\nadd_action(\n    'admin_init',\n    array( $this, 'handle_migrate_request' )\n);\n\n---\n\n\u002F\u002F admin\u002Fclass-wp-travel-engine-admin.php (Function body inferred from research plan and registration)\npublic function handle_migrate_request() {\n    if ( isset( $_GET['action'] ) && 'wte-migrate' === $_GET['action'] ) {\n        \u002F\u002F The function lacks any check for current_user_can( 'manage_options' )\n        \u002F\u002F and lacks check_admin_referer() for nonce verification.\n        $post_ids = isset( $_GET['post'] ) ? (array) $_GET['post'] : array();\n        if ( ! empty( $post_ids ) ) {\n            \u002F\u002F sensitive migration logic proceeds for each Trip post ID...\n        }\n    }\n}","--- admin\u002Fclass-wp-travel-engine-admin.php\n+++ admin\u002Fclass-wp-travel-engine-admin.php\n@@ -...\n \tpublic function handle_migrate_request() {\n \t\tif ( isset( $_GET['action'] ) && 'wte-migrate' === $_GET['action'] ) {\n+\t\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\t\treturn;\n+\t\t\t}\n+\n+\t\t\tcheck_admin_referer( 'bulk-trips' );","To exploit this vulnerability, an unauthenticated attacker can send a forged request to the WordPress administrative backend. Since the 'admin_init' hook executes during requests to '\u002Fwp-admin\u002Fadmin-post.php', the attacker can supply the 'action' parameter set to 'wte-migrate'. By also providing an array of Trip IDs in the 'post' parameter (e.g., post[]=123&post[]=124), the 'handle_migrate_request' function will execute migration logic on those specific posts. Because the function lacks capability checks and nonce validation, the server processes the request as if it were a legitimate bulk action performed by an administrator.","gemini-3-flash-preview","2026-06-26 04:22:32","2026-06-26 04:24:00",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","6.7.10","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags\u002F6.7.10","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-travel-engine.6.7.10.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags\u002F6.7.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-travel-engine.6.7.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags"]