Two critical security vulnerabilities have been discovered in the WP Travel Engine plugin for WordPress, a tool used by more than 20,000 travel websites worldwide. According to a report by Roger Montti at Search Engine Journal, both flaws are rated 9.8 on the CVSS scale, indicating the highest level of severity and potentially allowing attackers to take full control of affected sites without authentication.
The first issue involves an improper path restriction within the plugin’s set_user_profile_image function. Because the plugin fails to validate file paths properly, attackers could rename or delete vital files such as wp-config.php, which could turn off a site’s configuration and even lead to remote code execution.
The second vulnerability stems from improper handling of the mode parameter, resulting in a local file inclusion (LFI) vulnerability. This allows unauthenticated users to include and run arbitrary PHP files, opening the door to malicious code execution and potentially exposing sensitive data.
As Montti’s Search Engine Journal article notes, both vulnerabilities affect WP Travel Engine versions up to and including 6.6.7. The plugin developers have released a patch, and site owners are strongly advised to update immediately to prevent exploitation.