Impact
An unauthenticated vulnerability has been discovered in all WP Travel Engine plugin versions up to and including 6.7.10. The flaw is classified as an "Other Vulnerability Type" and does not specify a particular flaw type, but it allows an attacker to invoke potentially dangerous plugin functionality without requiring user authentication. The CVSS score of 7.5 indicates that successful exploitation could have moderate to high impact on the confidentiality and integrity of the site or its data if the vulnerable plugin code is compromised.
Affected Systems
The affected product is the WordPress WP Travel Engine plugin developed by WP Travel Engine. All installations of this plugin with versions 6.7.10 or older are vulnerable; a version update to 6.7.11 or newer is required to remediate the flaw.
Risk and Exploitability
The EPSS score is reported as < 1%, suggesting the probability of exploitation observed in the wild is very low at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is standard HTTP request pathways, since the vulnerability is unauthenticated and involves plugin functionality accessed via web requests. Because an attacker does not need to be logged in, any public WordPress site running the vulnerable plugin could be targeted, but the high CVSS score combined with the low exploitation probability results in a moderate overall risk.
OpenCVE Enrichment