Impact
This vulnerability allows PHP Object Injection in WordPress WP Travel Engine plugin versions 6.7.12 or earlier. Because the plugin accepts serialized data without proper validation, an attacker can supply a malicious object that, when unserialized by the plugin, results in arbitrary code execution, data modification, or disclosure of sensitive information. The flaw is identified as CWE-502.
Affected Systems
Affected are WordPress sites using the WP Travel Engine plugin version 6.7.12 or earlier. Sites that rely on this plugin for travel booking or related services are at risk if their installations remain outdated.
Risk and Exploitability
The CVSS score of 9.8 classifies this issue as critical. The EPSS score is less than 1%, indicating a low short-term exploitation probability, and the vulnerability is not listed in CISA KEV. However, because it can be triggered by any user who can submit data to the plugin, the risk remains significant for unpatched installations. An attacker could send crafted serialized strings via standard HTTP requests to initiate the exploit.
OpenCVE Enrichment