CVE-2026-4290

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

CVE-2026-45218

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through = 11.4.0...

PT-2026-40016

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through = 11.4.0...

CVE-2023-54358

WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at...

CVE-2026-32486 WordPress Travel Booking theme <= 1.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through = 1.3.9...

CVE-2026-32486 WordPress Travel Booking theme <= 1.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through = 1.3.9...

CVE-2026-32346 WordPress Travel Agency theme <= 1.5.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in raratheme Travel Agency travel-agency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Agency: from n/a through = 1.5.5...

CVE-2026-24607

CVE-2026-24607: Travel Monster WordPress theme up to 1.3.3 suffers Missing Authorization (Broken Access Control). The vulnerability affects Travel Monster (WordPress theme) and is currently unpatched according to sources, with advisories indicating to upgrade to a version later than 1.3.3. No exp...

CVE-2026-24568

CVE-2026-24568 (WP Travel) has concrete details: a Missing/Broken Authorization flaw in the WP Travel plugin, affecting versions up to and including 11.0.0. The issue arises from incorrectly configured access control security levels, enabling unauthorized access or actions. Public sources also in...

CVE-2025-62063

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WP Travel WP Travel Gutenberg Blocks wp-travel-blocks.This issue affects WP Travel Gutenberg Blocks: from n/a through = 3.9.2...

EUVD-2025-33238

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion via renaming due to insufficient file path validation in the setuserprofileimage function in all versions up to, and including, 6.6.7. This makes it possible for...

CVE-2025-7526 WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Authenticated (Subscriber+) Arbitrary File Deletion via File Renaming

The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion via renaming due to insufficient file path validation in the setuserprofileimage function in all versions up to, and including, 6.6.7. This makes it possible for...

EUVD-2025-28497

Malicious code in bioql PyPI...

WordPress Travel Map Plugin <= 1.0.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nabil Irawan in WordPress Plugin Travel Map versions = 1.0.3...

CVE-2025-57960

CVE-2025-57960 describes a Cross-Site Request Forgery (CSRF) vulnerability in the Travel Map WordPress plugin. The issue affects the Travel Map plugin version range from not specified to 1.0.3 (i.e., vulnerable in Travel Map: from n/a through 1.0.3). The initial data provides a CVSS 3.1 base scor...

CVE-2025-57960 WordPress Travel Map Plugin <= 1.0.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in TravelMap Travel Map travelmap-blog allows Cross Site Request Forgery.This issue affects Travel Map: from n/a through = 1.0.3...

PT-2025-39048

Name of the Vulnerable Software and Affected Versions WP Travel Engine versions through 1.4.2 Description The software contains a flaw related to improper input handling during web page generation, which allows for Cross-site Scripting XSS. This specific instance is a Stored XSS issue, meaning...

CVE-2025-53207

CVE-2025-53207 is a confirmed Local File Inclusion vulnerability in the WordPress plugin WP Travel Gutenberg Blocks (affected: versions up to 3.9.0). The root cause is improper control of the filename used in PHP include/require statements, enabling LFI and potentially local file exposure. CVSS v...

CVE-2025-53207 WordPress WP Travel Gutenberg Blocks plugin <= 3.9.0 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in WP Travel WP Travel Gutenberg Blocks wp-travel-blocks allows PHP Local File Inclusion.This issue affects WP Travel Gutenberg Blocks: from n/a through = 3.9.0...