[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fAjtr9j0CHb48P_mHGxHbaek8EsjCiUvhCvIBctYFKgc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-49770","wp-travel-engine-tour-booking-plugin-tour-operator-software-unauthenticated-php-object-injection","WP Travel Engine – Tour Booking Plugin – Tour Operator Software \u003C= 6.7.12 - Unauthenticated PHP Object Injection","The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 6.7.12 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","wp-travel-engine",null,"\u003C=6.7.12","6.8.0","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-06-04 00:00:00","2026-06-08 14:44:57",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fa28f9860-395d-4087-9e0d-cf0332aba39f?source=api-prod",5,[22,23,24,25,26,27,28,29],"README.txt","admin\u002Fclass-wp-travel-engine-booking-export.php","changelog.txt","dist\u002Fadmin.wte-admin-rtl.css","dist\u002Fadmin\u002Fbooking-edit.asset.php","dist\u002Fadmin\u002Fbooking-edit.js","dist\u002Fadmin\u002Fbooking-legacy-edit.asset.php","dist\u002Fadmin\u002Fbooking-legacy-edit.js","researched",false,3,"This research plan outlines the steps to investigate and exploit a PHP Object Injection vulnerability (CVE-2026-49770) in the **WP Travel Engine** plugin.\n\n## 1. Vulnerability Summary\nThe **WP Travel Engine** plugin (versions \u003C= 6.7.12) is vulnerable to **Unauthenticated PHP Object Injection**. This occurs when the plugin takes user-supplied input (via cookies, POST parameters, or AJAX actions) and passes it to the PHP `unserialize()` function without proper validation or the use of `allowed_classes => false`. While the plugin developers introduced a `safe_unserialize()` method in version 6.7.0 (found in `admin\u002Fclass-wp-travel-engine-booking-export.php`), several unauthenticated code paths likely still use the native `unserialize()` function or fail to use the utility method correctly.\n\nAn attacker can provide a specially crafted serialized string. When deserialized, PHP will instantiate arbitrary classes available in the WordPress environment. If a suitable Property-Oriented Programming (POP) chain exists in other installed plugins or themes, this can lead to remote code execution (RCE).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` or any frontend page (via `init` hook).\n*   **Vulnerable Parameter:** Likely a cookie (e.g., `wte_viewed_trips`, `wte_cart`) or a POST parameter in an inquiry\u002Fbooking flow.\n*   **Authentication:** None (Unauthenticated).\n*   **Action (Inferred):** `wte_viewed_trips` or `wptravelengine_get_cart_contents`.\n*   **Preconditions:** The plugin must be active. Some features (like \"Recently Viewed Trips\") must be enabled to trigger the specific code path.\n\n## 3. Code Flow (Inferred)\n1.  A user visits the site. The plugin's `init` hook or a `wp_ajax_nopriv` action is triggered.\n2.  The code retrieves data from a user-controlled source:\n    `$viewed_trips = $_COOKIE['wte_viewed_trips'];`\n3.  The code attempts to process this data:\n    `$trips = unserialize( stripslashes( $viewed_trips ) );`\n4.  Because the native `unserialize()` is used on untrusted data, the PHP Object Injection occurs.\n\n## 4. Nonce Acquisition Strategy\nMany unauthenticated AJAX actions in WP Travel Engine require a nonce. The plugin typically localizes these nonces into the frontend pages.\n\n1.  **Identify the Script Localization:** The plugin often localizes a variable named `wte_obj` or `wp_travel_engine_vars`.\n2.  **Trigger Script Loading:** Nonces are often only loaded on pages containing WP Travel Engine shortcodes or on Trip pages.\n3.  **Setup Page:** Create a page with a trip list to ensure all scripts are enqueued:\n    `wp post create --post_type=page --post_status=publish --post_content='[wp_travel_engine_trip_list]' --post_title='Trips'`\n4.  **Extract via Browser:**\n    *   Navigate to the newly created page: `http:\u002F\u002Flocalhost:8080\u002Ftrips`\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.wte_obj?.ajax_nonce\")`\n\n## 5. Exploitation Strategy\nWe will target a likely candidate for unauthenticated deserialization: the \"Recently Viewed Trips\" cookie or the Cart processing.\n\n### Phase 1: Discovery\n1.  Search the codebase for all instances of the native `unserialize` function:\n    `grep -rn \"unserialize\" .`\n2.  Filter for calls that do not use `allowed_classes => false` and are reachable via `$_COOKIE` or `$_POST`.\n\n### Phase 2: Payload Delivery (Example using Cookie)\nIf the vulnerability is in the `wte_viewed_trips` cookie handling:\n1.  ","gemini-3-flash-preview","2026-06-26 04:52:19","2026-06-26 04:54:09",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","6.7.12","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags\u002F6.7.12","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-travel-engine.6.7.12.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags\u002F6.8.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-travel-engine.6.8.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-travel-engine\u002Ftags"]