More than 20,000 WordPress travel websites are at risk after cybersecurity researchers discovered two critical vulnerabilities in the WP Travel Engine plugin — a widely used tool that powers online travel bookings, itineraries, and vacation packages.
Both security flaws have been assigned a CVSS (Common Vulnerability Scoring System) score of 9.8, indicating near-maximum severity. The vulnerabilities allow unauthenticated attackers — meaning they don’t need a login — to gain complete control of an affected website and access sensitive data.
What is WP Travel Engine?
The WP Travel Engine plugin is a popular WordPress solution for travel agencies and tour operators, helping them manage bookings, design travel packages, and create itinerary pages.
Unfortunately, its latest versions (up to and including 6.6.7) contain two critical flaws that can be exploited remotely by attackers.
Vulnerability 1: Improper Path Restriction (Path Traversal)
The first vulnerability lies in the plugin’s set_user_profile_image function, which lacks proper validation of file paths. This oversight allows attackers to rename, move, or even delete files anywhere on the server.
One of the most dangerous possibilities involves deleting a site’s wp-config.php file — a core configuration file that controls access to the site’s database. Removing or manipulating it can disable a website and potentially allow remote code execution, giving hackers a foothold to run malicious commands.
Vulnerability 2: Local File Inclusion (LFI) via Mode Parameter
The second vulnerability arises from improper handling of the mode parameter in certain plugin operations. Attackers can exploit this to include and execute arbitrary PHP files on the server — effectively injecting and running malicious code without needing authentication.
This can expose sensitive user data, payment information, and system files, and in some cases, grant attackers administrative privileges over the entire website.
Like the first flaw, this vulnerability also carries a 9.8 CVSS rating, underscoring its critical risk level.
Who Is Affected?
All WordPress websites using WP Travel Engine version 6.6.7 or earlier are vulnerable. Given the plugin’s popularity in the travel and tourism industry, the impact could be widespread — affecting travel agencies, tour operators, and online booking portals worldwide.
Recommended Action
Cybersecurity experts strongly advise immediate action for site owners and administrators:
Update WP Travel Engine to the latest patched version immediately.
Review server logs for unusual activity or file modifications.
Backup all site data and ensure offline copies are safely stored.
Restrict file permissions to prevent unauthorized modifications.
Enable Web Application Firewalls (WAFs) and other security tools to detect and block exploitation attempts.
Because the vulnerabilities can be exploited without login credentials, delaying updates could leave websites open to data theft, defacement, or complete takeover.
Broader implications
This incident once again highlights the growing risks associated with third-party WordPress plugins, particularly those managing sensitive user data such as bookings, payments, and travel itineraries.
With cyberattacks on small businesses and hospitality platforms on the rise, maintaining timely updates and regular security audits has become essential for website resilience.
As of now, the developers behind WP Travel Engine have released an update addressing these flaws — a reminder that even the most trusted tools in the WordPress ecosystem can pose risks when left unpatched.
