WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.12 - Unauthenticated PHP Object Injection
Description
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.7.12 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=6.7.12What Changed in the Fix
Changes introduced in v6.8.0
Source Code
WordPress.org SVNThis research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability (CVE-2026-49770) in the **WP Travel Engine** plugin. ## 1. Vulnerability Summary The **WP Travel Engine** plugin (versions <= 6.7.12) is vulnerable to **Unauthenticated PHP Object Injection**. This…
Show full research plan
This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability (CVE-2026-49770) in the WP Travel Engine plugin.
1. Vulnerability Summary
The WP Travel Engine plugin (versions <= 6.7.12) is vulnerable to **Unauthenticated PHP Object Injection**. This occurs when the plugin takes user-supplied input (via cookies, POST parameters, or AJAX actions) and passes it to the PHP unserialize() function without proper validation or the use of allowed_classes => false. While the plugin developers introduced a safe_unserialize() method in version 6.7.0 (found in admin/class-wp-travel-engine-booking-export.php), several unauthenticated code paths likely still use the native unserialize() function or fail to use the utility method correctly.
An attacker can provide a specially crafted serialized string. When deserialized, PHP will instantiate arbitrary classes available in the WordPress environment. If a suitable Property-Oriented Programming (POP) chain exists in other installed plugins or themes, this can lead to remote code execution (RCE).
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.phpor any frontend page (viainithook). - Vulnerable Parameter: Likely a cookie (e.g.,
wte_viewed_trips,wte_cart) or a POST parameter in an inquiry/booking flow. - Authentication: None (Unauthenticated).
- Action (Inferred):
wte_viewed_tripsorwptravelengine_get_cart_contents. - Preconditions: The plugin must be active. Some features (like "Recently Viewed Trips") must be enabled to trigger the specific code path.
3. Code Flow (Inferred)
- A user visits the site. The plugin's
inithook or awp_ajax_noprivaction is triggered. - The code retrieves data from a user-controlled source:
$viewed_trips = $_COOKIE['wte_viewed_trips']; - The code attempts to process this data:
$trips = unserialize( stripslashes( $viewed_trips ) ); - Because the native
unserialize()is used on untrusted data, the PHP Object Injection occurs.
4. Nonce Acquisition Strategy
Many unauthenticated AJAX actions in WP Travel Engine require a nonce. The plugin typically localizes these nonces into the frontend pages.
- Identify the Script Localization: The plugin often localizes a variable named
wte_objorwp_travel_engine_vars. - Trigger Script Loading: Nonces are often only loaded on pages containing WP Travel Engine shortcodes or on Trip pages.
- Setup Page: Create a page with a trip list to ensure all scripts are enqueued:
wp post create --post_type=page --post_status=publish --post_content='[wp_travel_engine_trip_list]' --post_title='Trips' - Extract via Browser:
- Navigate to the newly created page:
http://localhost:8080/trips - Use
browser_evalto extract the nonce:browser_eval("window.wte_obj?.ajax_nonce")
- Navigate to the newly created page:
5. Exploitation Strategy
We will target a likely candidate for unauthenticated deserialization: the "Recently Viewed Trips" cookie or the Cart processing.
Phase 1: Discovery
- Search the codebase for all instances of the native
unserializefunction:grep -rn "unserialize" . - Filter for calls that do not use
allowed_classes => falseand are reachable via$_COOKIEor$_POST.
Phase 2: Payload Delivery (Example using Cookie)
If the vulnerability is in the wte_viewed_trips cookie handling:
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.