CVE-2026-49770

WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.12 - Unauthenticated PHP Object Injection

highDeserialization of Untrusted Data
8.1
CVSS Score
8.1
CVSS Score
high
Severity
6.8.0
Patched in
5d
Time to patch

Description

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.7.12 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=6.7.12
PublishedJune 4, 2026
Last updatedJune 8, 2026
Affected pluginwp-travel-engine

What Changed in the Fix

Changes introduced in v6.8.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability (CVE-2026-49770) in the **WP Travel Engine** plugin. ## 1. Vulnerability Summary The **WP Travel Engine** plugin (versions <= 6.7.12) is vulnerable to **Unauthenticated PHP Object Injection**. This…

Show full research plan

This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability (CVE-2026-49770) in the WP Travel Engine plugin.

1. Vulnerability Summary

The WP Travel Engine plugin (versions <= 6.7.12) is vulnerable to **Unauthenticated PHP Object Injection**. This occurs when the plugin takes user-supplied input (via cookies, POST parameters, or AJAX actions) and passes it to the PHP unserialize() function without proper validation or the use of allowed_classes => false. While the plugin developers introduced a safe_unserialize() method in version 6.7.0 (found in admin/class-wp-travel-engine-booking-export.php), several unauthenticated code paths likely still use the native unserialize() function or fail to use the utility method correctly.

An attacker can provide a specially crafted serialized string. When deserialized, PHP will instantiate arbitrary classes available in the WordPress environment. If a suitable Property-Oriented Programming (POP) chain exists in other installed plugins or themes, this can lead to remote code execution (RCE).

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php or any frontend page (via init hook).
  • Vulnerable Parameter: Likely a cookie (e.g., wte_viewed_trips, wte_cart) or a POST parameter in an inquiry/booking flow.
  • Authentication: None (Unauthenticated).
  • Action (Inferred): wte_viewed_trips or wptravelengine_get_cart_contents.
  • Preconditions: The plugin must be active. Some features (like "Recently Viewed Trips") must be enabled to trigger the specific code path.

3. Code Flow (Inferred)

  1. A user visits the site. The plugin's init hook or a wp_ajax_nopriv action is triggered.
  2. The code retrieves data from a user-controlled source:
    $viewed_trips = $_COOKIE['wte_viewed_trips'];
  3. The code attempts to process this data:
    $trips = unserialize( stripslashes( $viewed_trips ) );
  4. Because the native unserialize() is used on untrusted data, the PHP Object Injection occurs.

4. Nonce Acquisition Strategy

Many unauthenticated AJAX actions in WP Travel Engine require a nonce. The plugin typically localizes these nonces into the frontend pages.

  1. Identify the Script Localization: The plugin often localizes a variable named wte_obj or wp_travel_engine_vars.
  2. Trigger Script Loading: Nonces are often only loaded on pages containing WP Travel Engine shortcodes or on Trip pages.
  3. Setup Page: Create a page with a trip list to ensure all scripts are enqueued:
    wp post create --post_type=page --post_status=publish --post_content='[wp_travel_engine_trip_list]' --post_title='Trips'
  4. Extract via Browser:
    • Navigate to the newly created page: http://localhost:8080/trips
    • Use browser_eval to extract the nonce:
      browser_eval("window.wte_obj?.ajax_nonce")

5. Exploitation Strategy

We will target a likely candidate for unauthenticated deserialization: the "Recently Viewed Trips" cookie or the Cart processing.

Phase 1: Discovery

  1. Search the codebase for all instances of the native unserialize function:
    grep -rn "unserialize" .
  2. Filter for calls that do not use allowed_classes => false and are reachable via $_COOKIE or $_POST.

Phase 2: Payload Delivery (Example using Cookie)

If the vulnerability is in the wte_viewed_trips cookie handling:

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.