Description
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
Published: 2025-06-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Loss via Unauthenticated Deletion
Action: Apply Patch
AI Analysis

Impact

The WP Travel Engine – Tour Booking Plugin for WordPress suffers from a missing capability check in the delete_package() function, allowing attackers without any authentication to delete arbitrary posts. This flaw is a classical Missing Authorization issue (CWE‑862) and can result in the loss of tour listings, pricing information, and other critical booking data. The vulnerability directly compromises data integrity and availability for the affected site.

Affected Systems

All installations of the WP Travel Engine plugin up to and including version 6.5.1 are impacted. Users running WordPress with this plugin version should verify their current release; any instance prior to 6.5.2 lacks the necessary authorization guard.

Risk and Exploitability

With a CVSS score of 7.5, the issue carries high severity. The EPSS score is below 1%, indicating relatively low current exploit probability, and the vulnerability is not currently flagged in the CISA KEV catalog. Nevertheless, the attack path is straightforward: an unauthenticated user can target the REST API endpoint responsible for deletion and trigger post removal with no additional credentials.

Generated by OpenCVE AI on April 22, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Travel Engine plugin to version 6.5.2 or later, which adds the missing capability check to delete_package().
  • If an immediate update is not possible, consider disabling all REST API endpoints that expose deletion functionality for unauthenticated users via .htaccess or a security plugin.
  • As a temporary measure, remove or restrict the delete_package() functionality from public access by applying a custom capability filter or using a plugin that blocks unauthorized REST API actions.

Generated by OpenCVE AI on April 22, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18242 The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00067}

 epss

{'score': 0.00096}

Thu, 10 Jul 2025 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Wptravelengine
Wptravelengine wp Travel Engine
CPEs cpe:2.3:a:wptravelengine:wp_travel_engine:*:*:*:*:*:wordpress:*:*
Vendors & Products Wptravelengine
Wptravelengine wp Travel Engine

Fri, 13 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Jun 2025 04:00:00 +0000

Type Values Removed Values Added
Description The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
Title WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Wptravelengine Wp Travel Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:17.667Z

Reserved: 2025-05-27T16:31:42.141Z

Link: CVE-2025-5282

cve-icon Vulnrichment

Updated: 2025-06-13T19:05:56.832Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-13T04:15:28.983

Modified: 2025-07-10T00:35:40.310

Link: CVE-2025-5282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses