Description
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-04
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch Now
AI Analysis

Impact

The WP Travel Engine – Tour Booking Plugin suffers from a stored cross‑site scripting vulnerability. Attackers who can authenticate with contributor level or higher can supply arbitrary script code via attributes of the plugin’s wte_trip_tax shortcode. When a user loads a page containing the injected shortcode, the attacker’s script executes in the victim’s browser, allowing theft of session data, cookie hijacking, or other client‑side attacks.

Affected Systems

WordPress sites running WP Travel Engine versions up to and including 6.7.5 are affected. Site owners using earlier plugin versions should verify they are using version 6.7.6 or later to eliminate the flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.4, indicating moderate severity. External Public Supply Score is not available, and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Because the attacker requires authenticated contributor access, exploitation likelihood depends on the availability of such accounts and whether the site exposes the affected shortcode in editable content. Once accessed, the stored nature of the payload means the attack can affect any user who views the affected page.

Generated by OpenCVE AI on April 4, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Travel Engine to version 6.7.6 or later.
  • Verify that no malicious scripts remain in content that uses the wte_trip_tax shortcode.
  • Restrict or revoke contributor‑level access for untrusted users.
  • If an immediate update is not feasible, remove or disable the wte_trip_tax shortcode from editable content to prevent script execution.

Generated by OpenCVE AI on April 4, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wptravelengine
Wptravelengine wp Travel Engine – Tour Booking Plugin – Tour Operator Software
Vendors & Products Wordpress
Wordpress wordpress
Wptravelengine
Wptravelengine wp Travel Engine – Tour Booking Plugin – Tour Operator Software

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wte_trip_tax' shortcode in all versions up to, and including, 6.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wptravelengine Wp Travel Engine – Tour Booking Plugin – Tour Operator Software
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:49.750Z

Reserved: 2026-02-12T23:05:21.861Z

Link: CVE-2026-2437

cve-icon Vulnrichment

Updated: 2026-04-06T15:45:54.643Z

cve-icon NVD

Status : Deferred

Published: 2026-04-04T09:16:20.003

Modified: 2026-04-24T18:13:28.877

Link: CVE-2026-2437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:20:53Z

Weaknesses