CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

EUVD-2026-29458

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through = 11.4.0...

CVE-2026-45218

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through = 11.4.0...

CVE-2026-45218 WordPress WP Travel plugin <= 11.4.0 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through = 11.4.0...

WordPress WP Travel plugin <= 11.4.0 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Nhut Quang in WordPress Plugin WP Travel versions = 11.4.0...

EUVD-2023-60549

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...

EUVD-2023-60550

WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid'...

CVE-2023-54359

WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid'...

CVE-2023-54358

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...

CVE-2023-54359 WordPress adivaha Travel Plugin 2.3 SQL Injection via pid

WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pid' GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted 'pid'...

CVE-2023-54358

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...

CVE-2023-54358 WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...

CVE-2023-54358 WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...

CVE-2023-54358

CVE-2023-54358 refers to a reflected XSS in WordPress adivaha Travel Plugin 2.3. The vulnerability is triggered via the isMobile GET parameter at /mobile-app/v3/, allowing unauthenticated attackers to craft malicious URLs to execute script in victims’ browsers and potentially steal session tokens...

CVE-2026-24568 WordPress WP Travel plugin <= 11.1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through = 11.1.0...

WordPress plugin WP Travel has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-4410

Name of the Vulnerable Software and Affected Versions WP Travel versions through 11.0.0 Description An authorization issue exists in WP Travel. The vulnerability allows exploitation of incorrectly configured access control security levels. Recommendations Update WP Travel to a version later than...

WordPress WP Travel plugin <= 11.1.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin WP Travel versions = 11.1.0...

WordPress WP Travel Gutenberg Blocks plugin <= 3.9.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Peter Thaleikis in WordPress Plugin WP Travel Gutenberg Blocks versions = 3.9.2...

EUVD-2025-33238

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion via renaming due to insufficient file path validation in the setuserprofileimage function in all versions up to, and including, 6.6.7. This makes it possible for...