CVE-2025-30892 - Vulnerability Details

- WordPress WpTravelly Plugin <= 1.8.7 - PHP Object Injection vulnerability

Description

Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Object Injection.This issue affects WpTravelly: from n/a through <= 1.8.7.

Published: 2025-04-01

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a deserialization flaw that allows untrusted data to be turned into PHP objects, leading to object injection. An attacker who can supply crafted serialized input can create objects that execute arbitrary code on the server. This flaw can compromise confidentiality, integrity, and availability of the affected system, potentially giving full control over the host.

Affected Systems

The flaw affects the WordPress WpTravelly tour‑booking‑manager plugin from undefined earlier releases through version 1.8.7. The plugin is maintained by the magepeopleteam. No specific CPE strings are listed, but the impact is limited to installations using versions up to and including 1.8.7.

Risk and Exploitability

The CVSS score of 8.8 classifies this as High severity. Exploit likelihood, as indicated by an EPSS score of less than 1%, is low, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors would involve web-based interaction with the plugin’s serialization handling—such as form submissions or data imports—where an attacker can inject a malicious payload. Successful exploitation would provide remote code execution privileges on the server.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

magepeopleteam

WpTravelly

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.8.7

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WpTravelly plugin to the latest available version that removes the vulnerable deserialization logic.
If no update is available, uninstall or completely disable the plugin until a fix is released.
Restrict or firewall the plugin’s administrative and data‑import interfaces so that only trusted administrators can access them, thereby reducing the attack surface.

Generated by OpenCVE AI on May 1, 2026 at 11:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-9479	Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly allows Object Injection. This issue affects WpTravelly: from n/a through 1.8.7.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00371.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-1-8-7-php-object-injection-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly allows Object Injection. This issue affects WpTravelly: from n/a through 1.8.7.	Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Object Injection.This issue affects WpTravelly: from n/a through <= 1.8.7.
References	https://patchstack.com/database/wordpress/plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-1-8-7-php-object-injection-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-1-8-7-php-object-injection-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 03 Apr 2025 08:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 01 Apr 2025 21:00:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly allows Object Injection. This issue affects WpTravelly: from n/a through 1.8.7.
Title		WordPress WpTravelly Plugin <= 1.8.7 - PHP Object Injection vulnerability
Weaknesses		CWE-502
References		https://patchstack.com/database/wordpress/plugin/tour-booking-manager/vulnerability/wordpress-wptravelly-plugin-1-8-7-php-object-injection-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-01T20:58:07.779Z

Updated: 2026-04-28T16:11:59.686Z

Reserved: 2025-03-26T09:21:23.220Z

Link: CVE-2025-30892

Vulnrichment

Updated: 2025-04-02T13:24:06.121Z

NVD

Status : Deferred

Published: 2025-04-01T21:15:45.717

Modified: 2026-04-23T15:27:16.597

Link: CVE-2025-30892

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T11:45:16Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object